dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
745
mrjoe
join:2013-12-12
Israel

1 edit

mrjoe

Member

[PBX] Attempted hacking from UAE

I'm using Raspbx with an OBi202, an OBi110, a Huawei E160 and 2 Snom320s.

I checked my call logs and have received a call from +971xxxxxxxxx removed by a moderator

I called him back and accused him of trying to hack in to my system but he denied it.

Can anyone describe what they were trying to do? Would a long complicated password stop them being to do anything?

I don't have any VoIP trunks but I'm worried they might make calls out through PSTN or GSM Gateway....
Mango
Use DMZ and you get a kick in the dick.
Premium Member
join:2008-12-25
www.toao.net

1 edit

5 recommendations

Mango

Premium Member

Is it a requirement that your PBX must be accessible via the internet? If so...

- Change the port number that your PBX listens on to a random number between 20000 and 65535.

- Set up a hostname for your PBX that is not its reverse DNS name. Configure your firewall to drop any traffic that does not include your hostname so that for example calls to 971xxxxxxxxx@1.2.3.4 will be dropped, but calls to 971xxxxxxxxx@mrjoe.example.com will be allowed.

- Set up fail2ban to catch anyone who slips through the above two.

If your phones are all on a LAN and needn't access your PBX from outside, use your firewall to prevent other internet users from routing calls via your PBX.

m.
Stewart
join:2005-07-13

Stewart to mrjoe

Member

to mrjoe
As Mango said.
said by mrjoe:

I'm worried they might make calls out through PSTN or GSM Gateway....

This is especially dangerous if these are postpaid accounts; a hacker could run up a huge bill for which you would be liable.

In the OBi, set the dial plan to allow only countries you normally call. You might set it up to require a long secret prefix (essentially, a password) to call other destinations. Make sure that the admin interface on the OBi has a strong password, just in case a hacker gets shell access to the PBX and tries to access other hosts on your LAN.

Unfortunately, you can't do the equivalent with the Huawei. If the cell account is prepaid, don't keep a big balance. If you don't need to make international calls with it, your carrier may offer an option to disable them.

Though Asterisk itself is reasonably secure (if you use strong passwords, otherwise configure it correctly, and lock it down per Mango), FreePBX is notorious for vulnerabilities. Make sure that the UI and management functions are all inaccessible from the outside. Except from whitelisted addresses, your firewall should disallow all inbound TCP connections, except possibly SSH and a VPN server, both of which should use obscure ports, strong credentials, and be protected by fail2ban.
mrjoe
join:2013-12-12
Israel

2 edits

mrjoe

Member

Thanks guys for getting back

I don't really need Freepbx to be open to the internet at all, only LAN as I haven't managed to get any SIP trunks to actually register. (I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS. I pay £5 a month for multiple phones.)

I've setup passwords with 30+ alphanumeric digits with uppercase and lowercase for the Obi202, 110, Freepbx, Raspberry pi root and Webmin.

It seems they got in but all they changed it seems is:
on the OBi202
for the only SP that I'm using for VoIP traffic:
CallForwardOnBusyEnable: changed to "on"
CallForwardOnBusyNumber: "PH1()"

I only use 1 VoIP provider and that is Sipsorcery, its a free account that I only use for incoming. I send my all of my DIDs to there and then use the same SIP account on multiple devices to receive calls.
mrjoe

mrjoe to Mango

Member

to Mango
said by Mango:

If your phones are all on a LAN and needn't access your PBX from outside, use your firewall to prevent other internet users from routing calls via your PBX.

m.

That is the case though I don't have the router on site.

(I don't use internet much at home so I have an extender which picks up secured Wifi from a neighbour (with their permission of course) and comes to my switch via a long ethernet cable that goes over the roof.)

Their router has a username and password set by the internet service provider. I'm still trying to find these details...

Is there any other way to block all outside traffic while allowing LAN, from within Freepbx or through SSH?
Stewart
join:2005-07-13

Stewart

Member

said by mrjoe:

Is there any other way to block all outside traffic while allowing LAN?

If your iptables is set up to deny everything, except what is explicitly permitted (as all firewalls should be set up), then all you have to do is permit traffic with source addresses in your LAN subnet.

It wouldn't hurt to attempt access from outside, to give you some confidence that it's working properly.
Stewart

1 recommendation

Stewart to mrjoe

Member

to mrjoe
said by mrjoe:

I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS

IMO, that's not possible. There are satellite phones and premium numbers costing several dollars per minute to terminate. Unless you are an executive with a carrier and were given such an account as a courtesy (with the understanding that you wouldn't abuse it), then IMO you must be mistaken.

What you might mean is that on your service, everything that isn't included is blocked, in which case you are reasonably safe. (You might still get shut down for excessive use.)

If that's not the case, consider what may happen if an intruder tries to call a premium number in the UK? Palestine? Palau? Papua New Guinea? On Inmarsat?

mackey
Premium Member
join:2007-08-20

mackey to mrjoe

Premium Member

to mrjoe
Make sure you have allowguest=no set in sip.conf, otherwise anyone on the internet can make calls to your PBX.
mrjoe
join:2013-12-12
Israel

2 edits

mrjoe to Stewart

Member

to Stewart
said by Stewart:

said by mrjoe:

I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS

IMO, that's not possible. There are satellite phones and premium numbers costing several dollars per minute to terminate. Unless you are an executive with a carrier and were given such an account as a courtesy (with the understanding that you wouldn't abuse it), then IMO you must be mistaken.

What you might mean is that on your service, everything that isn't included is blocked, in which case you are reasonably safe. (You might still get shut down for excessive use.)

If that's not the case, consider what may happen if an intruder tries to call a premium number in the UK? Palestine? Palau? Papua New Guinea? On Inmarsat?

I was just explaining why I don't need to resort to VoIP for cheap calls. I'm sorry for not being clearer.

What is included is truly unlimited calls to

Mobile & Landlines in the following countries:
Alaska
Argentina
Australia
Belgium
Brazil
Canada
China
Croatia
Cyprus
Denmark
France
Germany
Greece
Hawai
Holland
Hong Kong
Hungary
India
Ireland
Israel
Italy
Luxembourg
Mexico
Morocco
New Zealand
Norway
Peru
Poland
Portugal
San Marino
Singapore
Sweden
Switzerland
Thailand
Turkey
UK
US

And Landlines only in the following:
Austria
Chile
Czech Republic,
Japan
Kazakhstan
Korea (South)
Latvia
Lithuania
Malaysia
Malta
Netherlands
Pakistan
Taiwan
Ukraine/Crimea
Uruguay
Vatican
Venezuela
mrjoe

mrjoe to mackey

Member

to mackey
said by mackey:

Make sure you have allowguest=no set in sip.conf, otherwise anyone on the internet can make calls to your PBX.

Thanks for your suggestion mackey.

how do I do this from with Freepbx or using SSH?
mrjoe

1 edit

mrjoe to Stewart

Member

to Stewart
said by Stewart:

said by mrjoe:

Is there any other way to block all outside traffic while allowing LAN?

If your iptables is set up to deny everything, except what is explicitly permitted (as all firewalls should be set up), then all you have to do is permit traffic with source addresses in your LAN subnet.

It wouldn't hurt to attempt access from outside, to give you some confidence that it's working properly.

my iptables is empty as I flushed it because I thought it was the cause of me not being able to register SIP trunks and forward extensions to SIP URIs

I tried this:
root@raspbx:~# cp /root/iptables.lanonly /etc/network/iptables
which I found here:»nerdvittles.com/?p=8222

but I got the response:
cp: cannot stat `/root/iptables.lanonly': No such file or directory

mackey
Premium Member
join:2007-08-20

mackey to mrjoe

Premium Member

to mrjoe
Via FreePBX. There are 2 ways:

Settings->General Settings, set "Allow Anonymous Inbound SIP Calls" to No
or
Settings->Asterisk SIP Settings, set "Allow SIP Guests" to No

The 1st way allows anonymous calls in but then drops them in the dialplan which allows them to show up in the log (good for debugging), and the 2nd doesn't allow them in at all (not even a log entry).
mrjoe
join:2013-12-12
Israel

mrjoe

Member

thanks, I did that.

If I need to call in, I use the Sipsorcery SIP URI setup on the OBi202 which goes to a trunk.