How can I determine if my Asterisk box is being compromised?

system · June 9, 2010, 5:41pm

I want to ensure nobody is routing through my Elastix box, and am unsure how to verify this. I did do a “sip show channels” and got more back than what I expected, but then again I am new to this system so this might be normal:

bell*CLI> sip show channels 
Peer             User/ANR    Call ID      Seq (Tx/Rx)  Format           Hold     Last Message   
63.34.121.47     1232421856  18dfec4c1e9  36440/00000  0x0 (nothing)    No                                 
62.51.127.173    xxxxxx     3cb5a1fb610  24415/00000  0x0 (nothing)    No                                 
10.0.0.27        27          45681148070  00102/00000  0x1c0004 (ulaw|  No       Tx: ACK                   
91.55.121.244    21          7db745cb584  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1203951766  154a75d116e  00102/00000  0x0 (nothing)    No       Init: INVITE              
62.51.127.173    1203951766  563bcc0b513  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1204918265  76dbe33e3b2  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1204292600  4c62c187383  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1604262124  2dc76a8458e  00102/00000  0x0 (nothing)    No       Init: INVITE              
91.55.121.244    21          5c771d511a5  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1202223822  7d651d006ea  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1800259252  66ce962b3a3  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1204272252  151cc7d71cb  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1204225230  67a624b73e4  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1800339532  2e6e2615311  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1800352252  49074db4698  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1204393600  16b9472b0f1  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1604362344  6bacf28a1b5  00102/00000  0x0 (nothing)    No       Init: INVITE              
63.34.121.47     1604362344  657bff290c2  00102/00000  0x0 (nothing)    No       Init: INVITE              
19 active SIP channels

What does InitL: INVITE mean? Are these cause for concern? At the time I too this there was only one active call.

maxfiles · June 12, 2010, 4:01pm

You’ve got quite a bit happening there. A few whois searches show that several of those IP addresses are telcom companies. Without seeing your sip.conf there’s I’d be clueless on whether you’re being hacked or not. The question is what is your server setup to subscribe to for providers. There will be some channels opened from time to time even when you’re not using the phone. This is basically the SIP provider checking periodically that your server is still active. But if you’ve got a PSTN connection or your extensions are setup to allow outgoing calls you may be providing service for unauthorized users and you’re paying for it.

system · June 12, 2010, 11:27pm

I do have 2 VOIP accounts, and 4 lines connected via a Rhino card to my POTS. Does this help?

riddlebox · June 13, 2010, 2:35pm

First of all, are you allowing sip endpoints to connect from anywhere or just your internal network? The easiest way to tell if you are being compromised, or if someone is trying is to look at your log files. Typically at /var/log/asterisk/messages. I would do a sip show peers and see if there are anyone connected to my system from an IP that is not on the system. Now you will see your providers as well so dont freak out about those. Also there are two links in my signature read them and follow them. The best way to not be compromised is to use names for usernames and very strong passwords. I dont know if Elastix allows you to do this or not. In asterisk itself I just register phones as JohnSmith and put a very strong password in. Then in my extensions.conf I tie SIP/JohnSmith to a numerical number. Now attackers have to guess that one of my extensions is JohnSmith(which no on tries names), they all just try 100-999, and then 1000-9999 and so on. Fail2ban works real well too which is in my signature. Good luck and a quick google search pulled this up.
automation.binarysage.net/?p=175
teliax.zendesk.com/attachments/t … nd_You.pdf
fail2ban.org/wiki/index.php/Main_Page - I use this its awesome!
blogs.digium.com/2009/03/28/sip-security/

I am sure there are more out there but this is a good start. Good Luck!

system · June 29, 2010, 4:01pm

Awesome - this is exactly what I was looking for. Thank you so much.