mrjoe join:2013-12-12 Israel 1 edit |
mrjoe
Member
2015-Jan-31 12:43 pm
[PBX] Attempted hacking from UAEI'm using Raspbx with an OBi202, an OBi110, a Huawei E160 and 2 Snom320s.
I checked my call logs and have received a call from +971xxxxxxxxx removed by a moderator
I called him back and accused him of trying to hack in to my system but he denied it.
Can anyone describe what they were trying to do? Would a long complicated password stop them being to do anything?
I don't have any VoIP trunks but I'm worried they might make calls out through PSTN or GSM Gateway.... |
|
MangoUse DMZ and you get a kick in the dick. Premium Member join:2008-12-25 www.toao.net 1 edit
5 recommendations |
Mango
Premium Member
2015-Jan-31 12:49 pm
Is it a requirement that your PBX must be accessible via the internet? If so...
- Change the port number that your PBX listens on to a random number between 20000 and 65535.
- Set up a hostname for your PBX that is not its reverse DNS name. Configure your firewall to drop any traffic that does not include your hostname so that for example calls to 971xxxxxxxxx@1.2.3.4 will be dropped, but calls to 971xxxxxxxxx@mrjoe.example.com will be allowed.
- Set up fail2ban to catch anyone who slips through the above two.
If your phones are all on a LAN and needn't access your PBX from outside, use your firewall to prevent other internet users from routing calls via your PBX.
m. |
|
|
to mrjoe
As Mango said. said by mrjoe: I'm worried they might make calls out through PSTN or GSM Gateway.... This is especially dangerous if these are postpaid accounts; a hacker could run up a huge bill for which you would be liable. In the OBi, set the dial plan to allow only countries you normally call. You might set it up to require a long secret prefix (essentially, a password) to call other destinations. Make sure that the admin interface on the OBi has a strong password, just in case a hacker gets shell access to the PBX and tries to access other hosts on your LAN. Unfortunately, you can't do the equivalent with the Huawei. If the cell account is prepaid, don't keep a big balance. If you don't need to make international calls with it, your carrier may offer an option to disable them. Though Asterisk itself is reasonably secure (if you use strong passwords, otherwise configure it correctly, and lock it down per Mango), FreePBX is notorious for vulnerabilities. Make sure that the UI and management functions are all inaccessible from the outside. Except from whitelisted addresses, your firewall should disallow all inbound TCP connections, except possibly SSH and a VPN server, both of which should use obscure ports, strong credentials, and be protected by fail2ban. |
|
mrjoe join:2013-12-12 Israel 2 edits |
mrjoe
Member
2015-Jan-31 2:14 pm
Thanks guys for getting back
I don't really need Freepbx to be open to the internet at all, only LAN as I haven't managed to get any SIP trunks to actually register. (I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS. I pay £5 a month for multiple phones.)
I've setup passwords with 30+ alphanumeric digits with uppercase and lowercase for the Obi202, 110, Freepbx, Raspberry pi root and Webmin.
It seems they got in but all they changed it seems is: on the OBi202 for the only SP that I'm using for VoIP traffic: CallForwardOnBusyEnable: changed to "on" CallForwardOnBusyNumber: "PH1()"
I only use 1 VoIP provider and that is Sipsorcery, its a free account that I only use for incoming. I send my all of my DIDs to there and then use the same SIP account on multiple devices to receive calls. |
|
mrjoe |
to Mango
said by Mango:If your phones are all on a LAN and needn't access your PBX from outside, use your firewall to prevent other internet users from routing calls via your PBX.
m. That is the case though I don't have the router on site. (I don't use internet much at home so I have an extender which picks up secured Wifi from a neighbour (with their permission of course) and comes to my switch via a long ethernet cable that goes over the roof.) Their router has a username and password set by the internet service provider. I'm still trying to find these details... Is there any other way to block all outside traffic while allowing LAN, from within Freepbx or through SSH? |
|
|
said by mrjoe:Is there any other way to block all outside traffic while allowing LAN? If your iptables is set up to deny everything, except what is explicitly permitted (as all firewalls should be set up), then all you have to do is permit traffic with source addresses in your LAN subnet. It wouldn't hurt to attempt access from outside, to give you some confidence that it's working properly. |
|
|
Stewart
1 recommendation |
to mrjoe
said by mrjoe:I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS IMO, that's not possible. There are satellite phones and premium numbers costing several dollars per minute to terminate. Unless you are an executive with a carrier and were given such an account as a courtesy (with the understanding that you wouldn't abuse it), then IMO you must be mistaken. What you might mean is that on your service, everything that isn't included is blocked, in which case you are reasonably safe. (You might still get shut down for excessive use.) If that's not the case, consider what may happen if an intruder tries to call a premium number in the UK? Palestine? Palau? Papua New Guinea? On Inmarsat? |
|
mackey Premium Member join:2007-08-20 |
to mrjoe
Make sure you have allowguest=no set in sip.conf, otherwise anyone on the internet can make calls to your PBX. |
|
mrjoe join:2013-12-12 Israel 2 edits |
to Stewart
said by Stewart:said by mrjoe:I have unlimited outgoing National & International (includes UK Mobiles) calls on the GSM Gateway and on my POTS IMO, that's not possible. There are satellite phones and premium numbers costing several dollars per minute to terminate. Unless you are an executive with a carrier and were given such an account as a courtesy (with the understanding that you wouldn't abuse it), then IMO you must be mistaken. What you might mean is that on your service, everything that isn't included is blocked, in which case you are reasonably safe. (You might still get shut down for excessive use.) If that's not the case, consider what may happen if an intruder tries to call a premium number in the UK? Palestine? Palau? Papua New Guinea? On Inmarsat? I was just explaining why I don't need to resort to VoIP for cheap calls. I'm sorry for not being clearer. What is included is truly unlimited calls to Mobile & Landlines in the following countries: Alaska Argentina Australia Belgium Brazil Canada China Croatia Cyprus Denmark France Germany Greece Hawai Holland Hong Kong Hungary India Ireland Israel Italy Luxembourg Mexico Morocco New Zealand Norway Peru Poland Portugal San Marino Singapore Sweden Switzerland Thailand Turkey UK US And Landlines only in the following: Austria Chile Czech Republic, Japan Kazakhstan Korea (South) Latvia Lithuania Malaysia Malta Netherlands Pakistan Taiwan Ukraine/Crimea Uruguay Vatican Venezuela |
|
mrjoe |
to mackey
said by mackey:Make sure you have allowguest=no set in sip.conf, otherwise anyone on the internet can make calls to your PBX. Thanks for your suggestion mackey. how do I do this from with Freepbx or using SSH? |
|
mrjoe 1 edit |
to Stewart
said by Stewart:said by mrjoe:Is there any other way to block all outside traffic while allowing LAN? If your iptables is set up to deny everything, except what is explicitly permitted (as all firewalls should be set up), then all you have to do is permit traffic with source addresses in your LAN subnet. It wouldn't hurt to attempt access from outside, to give you some confidence that it's working properly. my iptables is empty as I flushed it because I thought it was the cause of me not being able to register SIP trunks and forward extensions to SIP URIs I tried this: root@raspbx:~# cp /root/iptables.lanonly /etc/network/iptables which I found here:» nerdvittles.com/?p=8222but I got the response: cp: cannot stat `/root/iptables.lanonly': No such file or directory |
|
mackey Premium Member join:2007-08-20 |
to mrjoe
Via FreePBX. There are 2 ways:
Settings->General Settings, set "Allow Anonymous Inbound SIP Calls" to No or Settings->Asterisk SIP Settings, set "Allow SIP Guests" to No
The 1st way allows anonymous calls in but then drops them in the dialplan which allows them to show up in the log (good for debugging), and the 2nd doesn't allow them in at all (not even a log entry). |
|
mrjoe join:2013-12-12 Israel |
mrjoe
Member
2015-Jan-31 4:18 pm
thanks, I did that.
If I need to call in, I use the Sipsorcery SIP URI setup on the OBi202 which goes to a trunk. |
|