I've been hacked!


#1

First off, hello to all members, newbie here!
Some background info first, I’ve recently installed my first asterisk server, and connected it to a voip service, I’ve only added a very small amount to my account on the upstream voip provider, I will be allowing my internal users access to their extensions whilst roaming, I have a pfsense firewall and the only way I could get audio working was to configure an 1to1 NAT with one of my public IP’s, open UDP from 10000 to 50000 and open tcp/udp to 5060 and 5061, fantastic audio works when a users dials in from outside.

THEN this morning…mere hours after opening my asterisk to the world…I get this on my console

chan_sip.c:26401 handle_request_invite: Call from ‘’ (195.154.181.131:5071) to extension ‘900972592265693’ rejected because extension not found in context ‘default’.

This is not one of my devices, this is someone trying to hack me

I’ve followed some guides on security from this site.
http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx

And I’ve run an online sip scanner from http://sipscanner.voicefraud.com/ and the only negative thing it came up with is that my asterisk is advertising that it’s an asterisk server, and what version it is.

My SIP.CONF
[general]
alwaysauthreject=yes
default=inbound
subscribecontext=default
bindport=5060
bindaddr=0.0.0.0
dtmfmode=rfc2833
disallow=all
allow=ulaw
allow=alaw
allow=h264
limitonpeer=yes
srvlookup=yes
call-limit=10
nat=force_rport,comedia
externip=(mypubip)
localnet=172.16.0.0/255.255.0.0
videosupport=yes
accept_outofcall_message=yes
outofcall_message_context=messages
auth_message_requests=no

; ###### SIP PEERS ########
; voipservice peer
[voipservice]
directmedia=no
context=cyta
host=172.16.0.108
secret=mysecret
type=peer
username=username
disallow=all
allow=ulaw
allow=alaw
allow=h264
trustrpid=yes
sendrpid=yes
insecure=invite
videosupport=yes
nat=force_rport,comedia

My extensions.conf
[general]
autofallthrough = no
priorityjumping = yes
static = yes
writeprotect = no
clearglobalvars = yes
exten => .,1,Hangup()
exten => i,1,Hangup()

[voipservice]
include => voipservice-inbound
include => voipservice-outbound

[voipservice-outbound]

exten => _XXXXXXXX,1,Dial(SIP/${EXTEN}@voipservice,20,r)
exten => _XXXXXXXX,n,Hangup()
exten => _XXXXXXXXXXXXX,1,Dial(SIP/${EXTEN}@voipservice,20,r)
exten => _XXXXXXXXXXXXX,N,Hangup()

;[internal]

exten => _6000,1,Dial(SIP/username,10,r)
exten => _6000,n,Followme(username,40,r)
exten => _6000,n,Voicemail(6000@voicemail)
exten => _6000,n,Hangup()
exten => .,1,Hangup()
exten => i,1,Hangup()

exten => _6XXX,1,Dial(SIP/${EXTEN},10,r)
exten => _6XXX,n,Followme(${EXTEN},40,r)
exten => _6XXX,n,Voicemail(${EXTEN}@voicemail)
exten => _6XXX,n,Hangup()
exten => .,1,Hangup()
exten => i,1,Hangup()

[voipservice-inbound]
exten => DID,1,Answer
exten => DID,n,Dial(SIP/6000,12)
exten => DID,n,Voicemail(6000@voicemail)
exten => DID,n,Hangup()

So I’ve only setup some basic functionality…does anyone know how this person has connected to my asterisk? and on port 5070 which is not open…unless the pfsense 1to1 NAT opens all ports.

Does this person not need to have at least a username and password to access my asterisk?

What other security measures can I take? Any help much appreciated!


#2

You haven’t disabled allowguest.

default= should be context=

You haven’t provided even a sample for a phone, so we cannot see if they have been secured properly.

Your logs show no evidence of an attack on port 5070. (Nor do they show one on 5071, as that its the source port, not the destination one.)

You don’t need a user and password to attack any peer declared inssecure=invite. However, the source IP does need to match host= if you have type=peer. As such, it will be the missing allowguest=no that is causing the call to fail so late.

You have not been hacked as the call failed. Calls will get through to Asterisk and be logged, even if you secure it better. It is just that they will be logged as authentication failures.

If you know your remote users only access from limited numbers of places, set your firewall to block other source networks. Certain countries are particularly known for SIP telephone fraud. Palestine is one, and you have an Israel country code in the payload number, although, in this case, the attacking IP address is from France.

Consider blocking countries with known fraud problems, and which you wouldn’t call, in the dialplan, as a second line of defence.

Install something like fail2ban to rate limit attacks, once you have the basic security working, to detect the unsuccessful ones.


#3

Thanks David, here’s a sample from the sip.conf of a phone,

[mycustomusername]
type=friend
secret=supersecretpassword
fullname=testphone
callerid=“testphone”
defaultuser=mycustomusernname
disallow=all
allow=ulaw
allow=alaw
allow=h264
host=dynamic
context=voipservice
directmedia=no
qualify=yes
mailbox=6000@default
videosupport=yes
nat=force_rport,comedia

So I’ve now added allowguest=no in the sip [general] do I need to add this anywhere else?
I’ve now changed default=inbound to context=inbound
I’ll look into the invite=insecure and see what it means for NAT and travelling users…
I will recheck my failtoban as I did install this originally.

Thanks for your quick help, much appreciated!


#4

You should use type=peer for your phones, although the custom name makes them quite strong, already.

You generally need to disable authentication on calls from ITSPs, as they generally don’t provide it. You have to rely on type=peer, and a non-dyanmic host.

I think using remotesecret instead of secret is better than using secret and insecure=invite, but a lot of cook book solutions pre-date remotesecret. It is not more secure, but it is slightly more obvious what it actually does.


#5

Thank you David. Food for thought for someone like me just getting into SIP and Asterisk. Appreciate the help!


#6

David can you clarify the “host=” command, I’ve now set remotesecret and type=peer, shall I just remove the host=dynamic line? Or do I need to set it to host=“something else”?? Does removing the line cause asterisk to revert to dynamic as default or something?


#7

You use host= dynamic if you don’t know the peer’s address, and they register with you. You use host= if you know the peer’s address, and disable the peer from registering.


#8

Ah ok, so I’ll only need host=dynamic for roaming users?


#9

That’s what it is there for, although most people treat all phones as roaming, even if they could know the address.