Dialplan security, who can explain the risks and methods


We have an Asterisk box setup as conferenceBridge. Setup is basic, 4 PRI’s and a dialplan for a bunch of different scenarios.

Recently we’ve added an IAX2 trunk to the setup and I thought it was time to revisit security… It would be nice if we could prevent unauthorized use.

Measures we take at the moment:

[li]In our IAX.conf we deny and only permit the IP addresses of our provider[/li]
[li]We have no logic in the dialplan that allows the uses to enter a number to dial. the only way to dial out of the box is by being forwarded to a predefined, hardcoded, number (which is on our other pbx sitting next to it, not through an outside route).[/li]
[li]The whole box is behind a firewall that only allows port 4569 through, other than that, no ports open from the outside world[/li][/ul]

So, my questions:
[li] How would a user go about “hacking” a box like this, how could one potentially use dialplan security gaps in a badly designed system?[/li]
[li] I feel I’ve covered all issues I could think off, have a missed something?[/li][/ul]

So you have a single port that marshalls access from the Asterisk instance to the PSTN and vice versa, correct? How is your terminating provider set up (i.e. you have commercial phone service for your desk phones, but then some other entity that provides you direct access to the PSTN)? How are your “hardcoded” extensions set up (in static .conf files, or dynamically via a database)?

Really the setup you described is vague enough to not be extremely helpful. The potential attack surface is so great that it’s hard to provide real advice in the absence of details.

Also I noticed in other posts you mentioned your newness to linux. I would caution you to be very very careful regarding toll fraud. It wouldn’t be hard to nmap your box, generate an OS fingerprint and cross check against a distro library…now the attacker knows which distro (maybe even version), which means they know what applications are listening on which ports in a default install. With this information they can scan exploit databases for the detail/unpatched applications that ship with the distro. Once your linux box gets broken into (using aforesaid exploits) you can get huge fees racked up in very little time at all by thieves. And there is 100% no recourse whatsoever for fraud. Terminating providers all have deals with one another and those fraudulent fees have to be paid out. I’ve personally heard of a single small business getting hit with a $100,000+ in calls in a single weekend.

Hey redwolf890,

Thank you for the response… eventhough i do not fully understand it :wink:

  1. We have no handsets connected to the system at all. It’s purely a conferencebridge. Parties dial in either through the 4 port PRI interface or the IAX2 interface.
    My dialplan does not include any explicitly defined options to dial out. I’m not sure if there is ‘default behaviour’ I am unaware of that would allow dialing out…?

I should check with my IAX provider, but I believe they offer inbound traffic only.

I’ll harden the rules on my ISDN switch to disallow outboud traffic from the Asterisk machine to the public network.

  1. nmapping… My linux knowledge is indeed very limited, but as I said, the box is not openly connected to the public internet. There is a hardware firewall in between that has only 1 allowed NAT route to the system, port 4569 for IAX2. I should hope that this will manage to keep people out of my OS…

Sounds like you’ve taken good precautions. You’re probably fine with such a limited setup. I just personally lose sleep about toll fraud and like to let people know it’s a real threat even when it might not seem like it (no one intentionally leaves something “unsecure” to their knowledge).

Besides security problems generated because of bad configs or carelessness, there are also direct Asterisk exploits. I like to check out Digium’s security advisories every week to see if there is anything I need to tend to. asterisk.org/downloads/security-advisories.

Thank you… I’ll lose a bit less sleep now then…