Asterisk server hacked, but how?


Recently our Asterisk server (Debian 9, 13.14.1~dfsg-2+deb9u3) was hacked during aprox. 2 hours at night.
All our passwords are random mixed case strings, and fail2ban in installed and active for asterisk.

I don’t see any successful authentications in the Asterisk logging except from the peers I expect. Also the account that has been used is only configured on an internal network, and also managed by us.

Where did we go wrong ?

Thanks very much in advance !


Bas van den Heuvel

PS: I will attach the appropiate, anonymized config and logging.
PS2: I’m not able to attach as a new user, so I uploaded it to Google drive:

The insecure option is called that because it reduces your security.

Its inappropriate use, combined with your your use of friend,when peer would be adequate, and more secure, probably explain the problem.

insecure=invite means that passwords are not checked on incoming calls, and type=friend means that the entry will be used based on the user part of the the From header SIP URI, even though the source IP address doesn’t match that from which the register was received. Thus you only need to know the device name to make calls as that devices.

The common overuse of insecure (insecure=port is almost certainly unneeded as well) arises from ITSPs specifying configurations that are most likely to appear to work, rather than ones that give the minimum necessary access.

type=friend is the result of copying examples which fail to properly understand the distinction between friend and peer, and has got into the folk law due to the extensive use of copy and paste, cookbook, configurations.


Thank you very much.
Indeed the configuration is a result of cutting and pasting configuration from older installations.
Not realy investigated what was needed etc. etc.

Now I’ve learned it the hard way…

So changing all friend into peer, and removing the ‘insecure=’ option will save us the next time (for this kind of misuse) ?

Thank you !

Bas van den Heuvel

Do you use any kind of http or ftp based provisioning for your endpoint configurations?

I’ve seen an increase of attacks against my provisioning infrastructure lately.

No only on internal network.
All traffic from phone’s, ata’s etc. is kept internally, or via VPN

ASterisk is on a VPS provider with just one IP public address (, and the SIP phones, are connected through internet, and without VPN. There two types of connection, from a home with a soho router (generally with nat/upnp enabled) and the othher type from a mobile connected through LTE network. Both types without tunneling.