maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | reply to craig0
Re: Asterisk Hacking Attempts...Best way to lock down?said by craig0:iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
Thanks for this. I opened up a couple of ranges for my external clients as well as the few people who call me direct over the Internet. If you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. To avoid this, you can use ports other than 5060 (on the WAN side) and map it to an internal IP:Port on your Asterisk PBX System. This way, crackers who only scans ports 5060 will get nothing from your NAT/Firewall router.
I believe you can even configure your Asterisk PBX System sans any ports forwarding on your main NAT/Firewall router and it will still be able to let your clients from outside to use your Asterisk PBX System with no problems. You may want to read this Asterisk: The Future of Telephony, 2nd Edition e-book to find out how.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
| said by mazilo:said by craig0:iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
Thanks for this. I opened up a couple of ranges for my external clients as well as the few people who call me direct over the Internet. If you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. I assume that OP listed 10.0.0.0/8 as a placeholder. Depending on the over-all firewall config, hackers will not see 5060 to be open. Only requests come from the specific IP address range(s) will see the 5060 port as open. The IP spoofing based hacking could work if the attacker gains knowledge of your netfilter settings, and in that case, the system admin has a bigger problem at hand.
said by mazilo:I believe you can even configure your Asterisk PBX System sans any ports forwarding on your main NAT/Firewall router and it will still be able to let your clients from outside to use your Asterisk PBX System with no problems. As far as I understand SPI firewalls, this is very unlikely. I can't claim to have read the EBook in its entirety, but even that reference shows how to open ports for SIP/IAX signaling.
Mazi, if you figure this one out, I would highly appreciate if you would share it with us.
Cheers,
-m |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by voip_wire:Mazi, if you figure this one out, I would highly appreciate if you would share it with us. My Asterisk PBX System is not configured to serve clients from outside the private LAN it is residing. As I mentioned before, I configured my Asterisk PBX System with the stunaddr option (no externhost nor externip, of course with nat=yes). I used a small externrefresh of 180s. Since then, my Asterisk PBX System has no problems to process I/O calls. Perhaps, the e-book (based on asterisk-1.4.x) will have a small section on how to configure an asterisk to deal with clients residing outside the private LAN without any ports forwarding.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
obeliks
join:2010-08-22
Lake Forest, CA
1 edit | Stun does not work with asterisk:
»www.voip-info.org/wiki/view/Aste···stunaddr |
|
| reply to mazilo
if you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. To avoid this, you can use ports other than 5060 (on the WAN side) and map it to an internal IP:Port on your Asterisk PBX System. This way, crackers who only scans ports 5060 will get nothing from your NAT/Firewall router.
Question.....if you change the port on the WAN side, say to 50610, and Map it to internal port 5060, then when the asterisk server responds it will respond with a source port of 5060. Will the router then translate that source back to 50610 when the packet is forwarded out the WAN side? Guess I could check the connection tracking table in the router and see for myself, but it is quicker to ask  .
Craig |
|
 joakoPremium
join:2000-09-07
/dev/null
kudos:5
 ·Comcast
| reply to mazilo
said by mazilo:said by voip_wire:Mazi, if you figure this one out, I would highly appreciate if you would share it with us. My Asterisk PBX System is not configured to serve clients from outside the private LAN it is residing. As I mentioned before, I configured my Asterisk PBX System with the stunaddr option (no externhost nor externip, of course with nat=yes). I used a small externrefresh of 180s. Since then, my Asterisk PBX System has no problems to process I/O calls. Perhaps, the e-book (based on asterisk-1.4.x) will have a small section on how to configure an asterisk to deal with clients residing outside the private LAN without any ports forwarding. Does not matter... stun support or externaddr= is all for NAT working properly with the media. You will still get SIP messages across, they can still send SIP messages and try to find a valid user/password.
More options for ip-based security: »www.voip-info.org/wiki/view/Aste···eny-mask
You can set your SIP peers in the local lan
disallow=0.0.0.0/0.0.0.0
allow=192.168.1.0/255/.255.255.0
And then if you want people on the internet to call you put allowguest=yes and setup your guest access so it *ONLY* allows calling to local peers and not through your PSTN connections, that should be pretty safe assuming there's no further vulnerability found in Asterisk. There's no security problem allowing guest if you think about it.
--
PRescott7-2097 |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by joako:Does not matter... stun support or externaddr= is all for NAT working properly with the media. You will still get SIP messages across, they can still send SIP messages and try to find a valid user/password. I thought ONLY incoming SIP messages from the registered SIP servers will get through the NAT/Firewall router (without ports forwarding).
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
joakoPremium
join:2000-09-07
/dev/null
kudos:5 Reviews:
·Comcast
1 edit | Yes but what does registering to a VoIP server vs port forwarding port 5060 have to do with using STUN vs extenaddr=? They are different things. In terms of the latter it doesn't matter what you do the point is to make asterisk aware it is behind NAT and of its external IP. Whether you use STUN or tell Asterisk manually is irrelevant and has nothing to do with security, other than using a STUN server possibly involves a 3rd party, but in terms of how secure your Asterisk system it is irrelevant, it just means you might voluntarily might disclose to some 3rd party that your IP address is using some sort of VoIP if you use STUN.
--
PRescott7-2097 |
|
1 edit | reply to mazilo
said by mazilo:I thought ONLY incoming SIP messages from the registered SIP servers will get through the NAT/Firewall router (without ports forwarding). Yes, but that is not related to externip/stun. If you register with a server, your asterisk box initiates a connection. A properly configured firewall would allow related incoming packets, in this case the SIP messages from the VOIP server to your asterisk box.
The complication with SIP is that ip-address/port are part of the SIP message itself. The firewall, without SIP ALG, would not re-write the content of the SIP message leading to a mismatch the addresses coded into the SIP message and the addresses coded into the udp(or tcp) packet. The externip just tells asterisk to use the specified IP-address as the "from:" address, resolving the mismatch. I am not sure of the logic behind STUN server.
----------------------------------
Joako,
If Mazi only has clients on the inside his LAN, he should not need to open any holes in the firewall. The asterisk box will never see random SIP attacks for the SIP traffic would not be passed through by the a properly configured firewall.
-----------------------------------
A general comment.
To reiterate, you need to port forward/DMZ/open holes in the firewall if and only if you have clients outside your LAN.
Of course, I could be very very wrong, so don't blame me if things don't work out for you!
cheers,
-m |
|
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by voip_wire:said by mazilo:I thought ONLY incoming SIP messages from the registered SIP servers will get through the NAT/Firewall router (without ports forwarding). Yes, but that is not related to externip/stun. If you register with a server, your asterisk box initiates a connection. A properly configured firewall would allow related incoming packets, in this case the SIP messages from the VOIP server to your asterisk box. AFAIK, most of Asterisk crackers out there have been able to exploit insecurely configured Asterisk PBX Systems assigned with a public IP Address and/or a private IP Address connected to a NAT/Firewall router with some ports forwarding. For me, my very first step to secure my Asterisk PBX System is not to implement any ports forwarding on my NAT/Firewall router where my Asterisk PBX System is connected to. Then, configure the sip.conf file accordingly. That's exactly I tried to convey. I don't think I had an intention to post here to show the relations both Joako and you mentioned above. Honestly, I felt sorry for both Joako and you who could not see that. 
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
| said by mazilo:Honestly, I felt sorry for both Joako and you who could not see that. :)
Actually, I think I understood your original point but was confused by post I previously quoted, as in I interpreted it as a question while it was a statement.
said by mazilo:For me, my very first step to secure my Asterisk PBX System is not to implement any ports forwarding on my NAT/Firewall router where my Asterisk PBX System is connected to. Then, configure the sip.conf file accordingly. Exactly. Only thing I wanted to add to this was that anyone setting up a SIP server will have to forward ports if his/her clients are outside their LAN and connect directly to the server. Conditional port-forwarding limits your exposure (as OP is trying to do).
Thinking a bit more about this, I suspect an additional layer of security can be provided by asterisk/freepbx for folks with clients outside their LAN. Assign the outside clients a separate context, and make sure that they can only call specific extensions. This may fit OP's objective: That way people who can call via sip directly, can do so, but hackers would be unable to dial out.
cheers,
-m |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by voip_wire:said by mazilo:For me, my very first step to secure my Asterisk PBX System is not to implement any ports forwarding on my NAT/Firewall router where my Asterisk PBX System is connected to. Then, configure the sip.conf file accordingly. Exactly. Only thing I wanted to add to this was that anyone setting up a SIP server will have to forward ports if his/her clients are outside their LAN and connect directly to the server. Conditional port-forwarding limits your exposure (as OP is trying to do). Exactly.
Thinking a bit more about this, I suspect an additional layer of security can be provided by asterisk/freepbx for folks with clients outside their LAN. Assign the outside clients a separate context, and make sure that they can only call specific extensions. Exactly, too. So far, the easiest way to do this is to use port other than 5060 and let the NAT/Firewall router map the outside port to the inside 5060 port. Until the crackers start to probe such a port, I believe this approach will be safer that using plain port on 5060. I believe this it is how is done through FreeSWITCH. If crackers started to crack through port 5080, then perhaps we will see similar issue, except on FreeSWITCH users.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
