Asterisk serve been hacked

Hi,

I need to help a costumer, his asterisk server which is in the DMZ was hacked in a manner that hackers made lots of phone calls to hot lines so the costumer got a huge phone bill. he asked me to help him harden asterisk, but before that I need to know how they hacked the server… any idea what to look for? I don know yet the version of asterisk the client uses. in those days now in learning lots of asterisk to be prepared next week, I need to to some forensics work on the asterisk server next week but I dont know what to look for. I AM ALMOST sure its a misconfiguration problem and that’s all but what to look for in the configuration?

also a hardening security guide for asterisk? any idea where I can find a good one?

thanks a lot !

Marco

Loaded question…dial plans, IP tables & fail2ban, complex passwords and non numeric extensions etc

Step 1. Put it behind NAT for starters
Problem solved, mostly…

Where are you located ?? there may be someone on the forum that can help who is located near by, whom you can call in to help.

Cheers
Chris

hi

thanks…but your answer is very blur… I dont understand… please explain more… im located in buenos aires.

what I need to put behind nat? please explain more…

I use skype, can I call you throw skype? my user is juanb007

thanks

marco

There are various documents included with Asterisk on good practice, one added quite recently.

As to telling you exactly how to hack Asterisk, I personally would not want to do that over a public channel, or without positively authenticating that you had a need to know.

Hi

Firstly go through the /var/log/asterisk logs and im guessing you will find may register attempts, The source IP will more than likely be from the Amazon Cloud.

You will need to add these IPs to your iptables./

Then in asterisk in the sip.conf if a phone doesnt need to register externally then set the ACL so it can only register from the known subnet, also make sure that you have in the general section of the sip.conf “alwaysauthreject=yes”

To be honest, If you don’t know what to look for then you arnt really equipped to harden his server against attack. Dont take this the wrong way but you could end up costing him money if you get it wrong.

Ian

Hi,

Sorry to be a little blury, saw your post, didn’t give it enough time to cover things properly…however…

Simply:
Put the Asterisk box behind a NAT router, the system will not be contactable from the outside, but can initiate and maintain registered connections with SIP providers on the outside. That is the simplest way to make your asterisk box secure “enough” whilst still being able to make and recieve calls over the net. It wont work with external handsets, you may need to look at a low latency / SIP/RTP friendly VPN such as Open VPN to give you that functionality.

If…howver… you have to use a public IP then here are some things you need to do to protect your Asterisk box.

  1. Don’t use the same username and passsword on your extensions. Common issue. eg
; sip.conf
[202]
username=202
secret=202
host=dynamic

This is asking for trouble.

  1. Keep the inbound call routing in a different context to your outbound routing. That way, any one who gets in, cant get back out again. Common problem and biggest cause / source of toll fraud.
    Also always have a default context that can’t go anywhere
; sip.conf
[general]
; Make sure that all stray calls end up in default
context=default 
; registrations
register => 9875554321:guessthis123@sip.myimaginaryprovider.net
; trunks
[sip-trunk]
username=9875554321
secret=guessthis123
host=sip.myimaginaryprovider.net
context=sip-in
; etc....

; extensions
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions
; extensions.conf
[extensions]
; ONly our local extensions have access to this context
; Call our local extensions
exten => _2XX,1,Dial(SIP/${EXTEN})

; Dial out unrestricted access for any handset (min 4 digits)
exten => _XXXX.,1,Dial(SIP/sip-trunk/${EXTEN})

[sip-in]
; All calls via our SIP provider end up here
; inbound rings all phones
exten => s,1,Dial(SIP/201&SIP/202&SIP/203)

; If we have a call from our provider go astray, dump it
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()

; No access to any outside lines

[default]
; All stray calls will end up here
; unless we want anonamous SIP calls, dump the call
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()

; However we may want someone to call SIP://25@mywanipaddress.net to be able to call in
exten => 25,1,Dial(SIP/201&SIP/202&SIP/203)
  1. Use something like fail2ban. This is a similar script I quickly googled.
    http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

  2. Restrict the IP addresses your extensions can register on to the local subnet using permit/deny in your sip.conf

; sip.conf
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions
; Deny all
deny=0.0.0.0/0.0.0.0
; But permit from local LAN
permit=192.168.0.0/255.255.255.0
; And maybe from 1 WAN address where the handset can be sometimes
permit=203.0.0.1/255.255.255.255 
  1. Disable channels that you aren’t using (such as skinny and MGCP) and comment out ay default settings in the conf files
; modules.conf
noload => chan_skinny.so
noload => chan_ooh323.so
noload => chan_mgcp.so

That should keep you busy. But, if you can get away with it, put the box behind NAT.

Cheers
Chris

BTW: We get 2 to 3 hack attacks a fortnight now. Its a never ending battle, however by using restrictive dial plans and non numeric logins for our extensions, we have avoided all grief save for the machine and network resouerces used during the scans. We have managed to deal with those too by blocking out chunks of dodgy address space in the firewall tables.

Chris !!! thanks so much !!!

your respond is great !!

helped me alot I will follow the steps you told me when I will be at the client.

any idea how can I figure out the way the hackers came in?

thnaks !!

marco

/var/log/asterisk/messages will tell all

Good luck and use NAT :wink:

Chris

hi !!

why NAT will protect the server more?

I read some info about Nating the Asterisk server but I understand that its very complicated to put it behind a FIrewall beacuse of all the high ports the FW admin needs to open, right?

what about using SBC? is it safer? but its very expensive…

and what about protecting the Asterisk server just with access lists on the edge router and not using NAT, it is ok?

thanks a lot and sorry for all the questions, I just need neet to bring to the client a satisfying solution…

MArco

NAT makes sure that nothing gets inside from outside, unless explicitly requested by somthing inside.

You can recieve calls because your Asterisk will register with your ITSP and mantain the connection through NAT, however if I was scanning for your PBX, I wouldn’t see it, as there are no open ports on your WAN connection.

It does stop anonamous SIP calls, which is useful in stopping SPIT (SPAM over Internet Telephony ??)

Does that make sense ??

Cheers
Chris

ok cheris now I got it.

thanks again !

juan

Now, the difference between the two (Asterisk and AsteriskNOW) besides the built-in OS and no built-in OS is the GUI. AsteriskNOW comes with a web GUI (which only works with Firefox, ironically enough) and it’s brother, Asterisk, is configuration file editing on the Asterisk PBX server.

Another nice thing about Asterisk(NOW) is that home users can use any old computer that can at least run Linux to use as the PBX server. Larger entities such as companies will obviously have to use higher grade equipment to support more users, but all in all, it’s pretty much the same software. I’m playing with AsteriskNOW on an old computer.

Hotel
Motel