Asterisk box cracked


#1

My gateway / asterisk server was cracked the other day. They almost certainly got in through one of the asterisk ports (IAX, SIP, RTP). The only other open port on the system was an up to date version of ssh - which is a possibility for a crack, but probably not as likely as asterisk.

For quite a few weeks, i’d been meaning to change my firewall to only allow incoming connections to the asterisk ports from the servers of my ITSPs - but i never got round to it! If i’d done it when i first intended to, i probably wouldn’t have got cracked…

I should also have read and acted on this page:

voip-info.org/tiki-index.php … k+non-root

Do it now, before it’s too late!


#2

sorry to hear of your woes !

what damage did they do ? how did you spot it ? were you running any IDS on the machine/firewall, and if so, did it report anything ?

i’ve been drawing up plans to restrict my firewall portforwards, but haven’t deployed them yet !!


#3

No damage was done as far as i can tell - apart from installing a “virus” that had “infected” all the binaries that i checked - in /sbin, /usr/sbin, etc. The cracker could have been intending to run a spam remailer or something, i dunno. Whatever, there was a lot of network activity going on at a time when there should have been none. I’m pretty sure i was onto it very soon after it being cracked.

I checked them by comparing them with binaries from another install of the same distribution on a different machine - the files had identical dates and file sizes, but ‘cmp’ or ‘md5sum’ showed they weren’t identical files.

Fortunately i’ve seen this sort of crack before and i didn’t waste time trying to work out what was going on, i just took the system offline and did a complete re-install. It was a pain in the arse, but only wasted about half a day. Last time i had to deal with a crack like this i wasted days trying to work out what was going on. The problem with this type of crack is that every command you run on the system, as root, runs the “virus” software and re-infects all the binaries - so you can’t replace a dodgy tool such as ‘ps’ with a new one without it getting modified almost straight away.

It’s always good policy, when running an internet-connected server, to set the system up so it’s a trivial matter to do a complete re-install from scratch - rather than from backups.


#4

Hi WillKemp,

regards to your statement on seting “firewall to only allow incoming connections to the asterisk ports from the servers of my ITSPs”,
was wondering how this works because with SIP, the calling SIP clients
connects straight to your asterisk server for RTP protocol. The ITSP
servers does not get in the “path” right?

A bit confuse…:smile:


#5

[quote=“nicklv”]regards to your statement on seting “firewall to only allow incoming connections to the asterisk ports from the servers of my ITSPs”,
was wondering how this works because with SIP, the calling SIP clients
connects straight to your asterisk server for RTP protocol. The ITSP
servers does not get in the “path” right?[/quote]
Wrong!

SIP calls can either go through the the ITSP’s server or it can go direct. If you set canreinvite=no in sip.conf, any call set up through the ITSP’s proxy server cannot be switched to a direct connection.

Of course, not allowing the entire world access to port 5060 does mean that no-one can make a direct SIP call to your server. That doesn’t bother me, as nobody’s ever likely to anyway. I use VOIP solely for connections to/from the PSTN.

As always, there’s a trade-off involved in security. If you don’t mind the fact that your server is guaranteed to get cracked, then you can leave port 5060 open to the whole world. If you run asterisk as a non-root user, you can certainly minimise the risk of a crack bringing down your whole system - but it’s definitely not a guarantee that it won’t happen!