| Asterisk Hacking Attempts...Best way to lock down? I have been seeing a lot of hacking attempts to my asterisk Server lately...ex below.
[Sep 1 14:27:13] NOTICE[11255]: chan_sip.c:21640 handle_request_register: Registration from '"8014" ' failed for '141.223.41.2' - No matching peer found
This one seems to be coming from Korea
Anyway my asterisk is behind my router and I have my SIP port (5060) forwarded to the asterisk server. Obviously this opens me up to these kinds of attacks. The port is forwarded because I have external sip clients that need to register. Is there a better way to accomplish this rather than opening up port 5060?
I suppose I could choose another sip port...any other suggestions to make things as tight as they can be?
Thanks
CRaig |
|
TrevIP Telephony GuruPremium
join:2009-06-29
Victoria, BC
kudos:3 | Random port number is your best bet if you don't know where the remote peers are coming from.
If you do know where they are coming from, whitelist their IPs (or even their entire subnet) and block everybody else.
--
Wondering what I do? Find out at »www.digitalcon.ca |
|
 nunyaWho is John Galt?Premium,MVM
join:2000-12-23
O Fallon, MO
kudos:5
 ·Charter
 ·voip.ms
| reply to craig0
I guess it's safe to assume you are using some sort of ban software. That's a good start.
You could ban all non-US IP blocks.
Are your remote extensions on static or dynamic IP addresses?
My war story is the first time I opened my SIP port to the outside world (for testing), I got hacked by credit card scammers (Hello. There's a problem with your credit card, please press 1 to be connected to an operator). I had angry people calling back my number for days. They ran full channels at full load until I pulled the plug.
Partially my own damn fault for using Fring. This was all somehow associated with Fring.
I decided to use IAX2 from then on.
--
Looks like Reverend Wright got his wish - God Damn America.
Nancy Pelosi - House Minority Leader 2010
Harry Reid - Senate Minority Leader 2010 |
|
gbh2o
join:2000-12-18
Greenville, NC Reviews:
·Future Nine Corp..
·VOIPo
·callwithus
·MyPhoneCompany
| reply to craig0
I could not find my copy of one strong recommendation by Ward Mundy (»nerdvittles.com/). As I recall, he would set up a voip.ms account, have all extensions go there and be forwarded to your asterisk box via a (b>registered sip trunk and then be sorted out there for all the * goodies and features. The registered trunk does not require opening or forwarding any ports. This indirect routing leaves your system secure from the outside world, but maintains all the benefits.
Just my recollection of how a smart person should do it to protect their own a#$! I'm not _that_ smart yet with my systems; I'm just devious, sneaky and sometimes ornery enough to enjoy watching the break-in efforts. |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | reply to craig0
said by craig0:Anyway my asterisk is behind my router and I have my SIP port (5060) forwarded to the asterisk server. Obviously this opens me up to these kinds of attacks. Then, close the ports.
The port is forwarded because I have external sip clients that need to register. Is there a better way to accomplish this rather than opening up port 5060? For external clients, you can specify different external ports (other than 5060) to associate with internal IP:Port of your asterisk.
Also, make sure you read my post here to secure your Asterisk PBX System.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
kaila
join:2000-10-11
Lincolnshire, IL Reviews:
·voip.ms
1 edit | reply to craig0
One of the very best things I did was move to IAX trunks if at all possible. IAX just isn't a popular target right now.
Beyond the basics of using strong passwords, and not opening ports into your system that aren't necessary, you absolutely should lock down internal extensions using the permit/deny functions to prevent extension tampering from the outside. Installing fail2ban will also cut off attempts by an attacker trying to brute force their way in.
--
Jeff Howe
Jeff's Blog - »www.ostjournal.net |
|
| reply to mazilo
For external clients, you can specify different external ports (other than 5060) to associate with internal IP:Port of your asterisk.
How can you do this? If you do a DNAT so that, say for example, you forward external port 50600 to internal IP of asterisk server:5060 then response traffic from asterisk would be sourced from port 5060 when the client is expecting 50600. If the client is behind a NAT this won't work? I suppose I could bind asterisk to a non-standard port, but then I would have to reconfigure all my clients
I do have all my asterisk extensions limited to specific IPs or in the case of my external extensions, IP ranges.
Maybe I can only open up port 5060 to a specific external IP range that I know my external clients use. Anyone know iptables well enough to help me with the syntax? So say I want to forward destination port 5060 to 192.168.100.1 but only do this for source network 10.0.0.0/8? |
|
sokhapkinPremium
join:2003-05-08
Cape Coral, FL | reply to craig0
Fail2ban, latest version, it understands asterisk log file format.
--
»www.callwithus.com |
|
| reply to craig0
said by craig0:Maybe I can only open up port 5060 to a specific external IP range that I know my external clients use. Anyone know iptables well enough to help me with the syntax? So say I want to forward destination port 5060 to 192.168.100.1 but only do this for source network 10.0.0.0/8? Please double check, but it should be
iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
In general, I recommend using shorewall-lite to setup netfilter rules. As I found out by experimenting, you will also need to open holes for RTP traffic, if two clients outside your firewall need to communicate with each other. This is assuming that you have set canreinvite=no for those clients.
hope this helps,
-m |
|
e9th
join:2003-07-12
Miami, FL | reply to craig0
Add alwaysauthreject=yes to sip.conf.
sipvicious (recently, anyway) is smart. It makes a few attempts using random, long extensions before trying to go through whatever range was specified.
By default, once it determines that it cannot tell if an extension is valid, it gives up.
That's where alwaysauthreject comes in. It causes asterisk to reject registration to an unknown extension in the same way as it does registration to a valid extension with a bad password. alwaysauthreject has been in asterisk for years, but =yes does not become the default setting until 1.8.
I turnes it on a few months ago (on 1.6). Since then, I still see one or two probes a week from various sites, but now each one just stops before fail2ban even notices. And they don't eat up bandwidth. |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by e9th:I turnes it on a few months ago (on 1.6). Since then, I still see one or two probes a week from various sites, but now each one just stops before fail2ban even notices. If your Asterisk is behind a NAT/Firewall router with a private IP Address and you haven't done any ports forwarding on your NAT/Firewall router, I don't suppose you will see such a probing activity. As such, your Asterisk won't need the fail2ban.
And they don't eat up bandwidth. It sure will eat some of CPU resources.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
e9th
join:2003-07-12
Miami, FL | said by mazilo:said by e9th:I turnes it on a few months ago (on 1.6). Since then, I still see one or two probes a week from various sites, but now each one just stops before fail2ban even notices. If your Asterisk is behind a NAT/Firewall router with a private IP Address and you haven't done any ports forwarding on your NAT/Firewall router, I don't suppose you will see such a probing activity. As such, your Asterisk won't need the fail2ban. I prefer that those who are able to call me directly, can. This pretty much rules out hiding behind a firewall.
And they don't eat up bandwidth. It sure will eat some of CPU resources.
Note how quickly svwar gives up when alwaysauthreject=yes :
bash-4.0# time ./svwar.py -e100-9999 xxx.xxx.xxx.xxx
ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing
real 0m0.266s
user 0m0.190s
sys 0m0.060s
|
|
 joakoPremium
join:2000-09-07
/dev/null
kudos:5
·Comcast
 ·AT&T U-Verse
1 edit | reply to craig0
Can you open port 5060 only to some IPs or even netblock (better to have all of Verizon only attacking you vs all of the world).
Also, set:
alwaysauthreject=yes
If this option is enabled, whenever Asterisk rejects an INVITE or REGISTER, it will always reject it with a 401 Unauthorized message instead of letting the caller know whether there was a matching user or peer for their request.
--
PRescott7-2097 |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | reply to e9th
said by e9th:said by mazilo:said by e9th:I turnes it on a few months ago (on 1.6). Since then, I still see one or two probes a week from various sites, but now each one just stops before fail2ban even notices. If your Asterisk is behind a NAT/Firewall router with a private IP Address and you haven't done any ports forwarding on your NAT/Firewall router, I don't suppose you will see such a probing activity. As such, your Asterisk won't need the fail2ban. I prefer that those who are able to call me directly, can. This pretty much rules out hiding behind a firewall. I have my Asterisk PBX System hosted on a Netgear WGT634U running on an OpenWRT firmware with a private IP Address behind a NAT/Firewall router sans any ports forwarding and it has no problems to process incoming and/or outgoing calls. If you have configured your Asterisk PBX System correctly, it shouldn't need any ports forwarding on your NAT/Firewall router.
And they don't eat up bandwidth. It sure will eat some of CPU resources. These are not per se DoS attacks. That's just an unpleasant side effect of scanning thousands of extensions for valid ones. If we can simply make sipvicious stop scanning on its own, then everybody wins: My connection doesn't get clogged up; fail2ban, ossec, whatever, don't have to waste cycles poring over log files; and even my attackers know to move on to the next guy.
Note how quickly svwar gives up when alwaysauthreject=yes : bash-4.0# time ./svwar.py -e100-9999 xxx.xxx.xxx.xxx
ERROR:TakeASip:SIP server replied with an authentication request for an unknown extension. Set --force to force a scan.
WARNING:root:found nothing
real 0m0.266s
user 0m0.190s
sys 0m0.060s
Your logic dealing with this kind of crackers is similar to either how e-mail providers are doing their business to let junk e-mails in and filter them to the junk folder or how the US gov't deals with telemarketers using the Do Not call list. AFAIC, that's a waste of resources.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
| reply to voip_wire
iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by craig0:iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
Thanks for this. I opened up a couple of ranges for my external clients as well as the few people who call me direct over the Internet. If you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. To avoid this, you can use ports other than 5060 (on the WAN side) and map it to an internal IP:Port on your Asterisk PBX System. This way, crackers who only scans ports 5060 will get nothing from your NAT/Firewall router.
I believe you can even configure your Asterisk PBX System sans any ports forwarding on your main NAT/Firewall router and it will still be able to let your clients from outside to use your Asterisk PBX System with no problems. You may want to read this Asterisk: The Future of Telephony, 2nd Edition e-book to find out how.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
|
|
| said by mazilo:said by craig0:iptables -t nat -A PREROUTING -p udp --dport 5060 -s 10.0.0.0/8 -j DNAT --to-destination 192.168.1.100:5060
iptable -A FORWARD -i eth1 -o eth0 -p udp --dport 5060 -s 10.0.0.0/8 -d 192.168.1.100 -j ACCEPT
Thanks for this. I opened up a couple of ranges for my external clients as well as the few people who call me direct over the Internet. If you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. I assume that OP listed 10.0.0.0/8 as a placeholder. Depending on the over-all firewall config, hackers will not see 5060 to be open. Only requests come from the specific IP address range(s) will see the 5060 port as open. The IP spoofing based hacking could work if the attacker gains knowledge of your netfilter settings, and in that case, the system admin has a bigger problem at hand.
said by mazilo:I believe you can even configure your Asterisk PBX System sans any ports forwarding on your main NAT/Firewall router and it will still be able to let your clients from outside to use your Asterisk PBX System with no problems. As far as I understand SPI firewalls, this is very unlikely. I can't claim to have read the EBook in its entirety, but even that reference shows how to open ports for SIP/IAX signaling.
Mazi, if you figure this one out, I would highly appreciate if you would share it with us.
Cheers,
-m |
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by voip_wire:Mazi, if you figure this one out, I would highly appreciate if you would share it with us. My Asterisk PBX System is not configured to serve clients from outside the private LAN it is residing. As I mentioned before, I configured my Asterisk PBX System with the stunaddr option (no externhost nor externip, of course with nat=yes). I used a small externrefresh of 180s. Since then, my Asterisk PBX System has no problems to process I/O calls. Perhaps, the e-book (based on asterisk-1.4.x) will have a small section on how to configure an asterisk to deal with clients residing outside the private LAN without any ports forwarding.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
obeliks
join:2010-08-22
Lake Forest, CA
1 edit | Stun does not work with asterisk:
»www.voip-info.org/wiki/view/Aste···stunaddr |
|
| reply to mazilo
if you do the above, you are exposing your Asterisk PBX System to any crackers out there with port 5060. To avoid this, you can use ports other than 5060 (on the WAN side) and map it to an internal IP:Port on your Asterisk PBX System. This way, crackers who only scans ports 5060 will get nothing from your NAT/Firewall router.
Question.....if you change the port on the WAN side, say to 50610, and Map it to internal port 5060, then when the asterisk server responds it will respond with a source port of 5060. Will the router then translate that source back to 50610 when the packet is forwarded out the WAN side? Guess I could check the connection tracking table in the router and see for myself, but it is quicker to ask  .
Craig |
|
