Open default configuration?

system · September 1, 2011, 11:50am

Hallo,

I just want inform you, that you have an big security issue in the default configuration.
A view days ago I set up an asterisk to use it as proxy.
I just added 2 Sip Accounts and changed the default extension to pass throught to my provider

This morging my provider called me, that I have expensive calls on my line.
Allthough I stopped my asterisk immediatly I have costs about 800EUR in only 50 Minutes.

First I thought I made an mistake, bit mit SIP accounts have passwords und as I see in the Master.csv, my Sip Accounts are not used

“”,“1001”,“002399890124”,“default”,“1001”,“SIP/82.xxx.xxx.xxx-00000006”,“IAX2/PBXNET462”,“Dial”,“IAX2/PBXNET/002399890124”,“2011-09-01 09:19:34”,“2011-09-01 09:19:45”,11,0,“NO ANSWER”,“DOCUMENTATION”,“1314868774.14”,""
"",“1001”,“002399890124”,“Outbound_Route”,“1001”,“SIP/82.xxx.xxx.xxx-00000009”,“IAX2/PBXNET-220”,“Dial”,“IAX2/PBXNET/002399890124”,“2011-09-01 09:21:23”,“2011-09-01 09:21:28”,“2011-09-01 09:21:41”,18,13,“ANSWERED”,“DOCUMENTATION”,"1314868

How do Hackers use my system?
First I saw an open guest acount in iax.con [guest]. But this seems to come over SIP.
Is there also an default configuration, that every body may use SIP without Authentication?

Please keep in mind the impact of such open configuration. If my Provider had not called me, I had noticed it days later and I would be bankrupt now.

An other issue is, that there seems to be no limits na parallel calls by default. I limmited the rtp port to 10, so the hackers where “only” able to use 10 calls parallel (an I see 10 parrallel calls in the log of my provider).
If I haven’t done this, they perhaps had used hundrets of calls parallel.

regards

Ralf

david55 · September 1, 2011, 12:45pm

Security issues should be reported as private reports on issues.asterisk.org.

However, the policy for SIP is that allowguest was yes by default because that avoids a lot of people getting stopped at the first hurdle when evaluating Asterisk. I imagine the same policy applies to IAX. See issues.asterisk.org/jira/browse/ASTERISK-14122

If you build from source, there is a big warning to read the security document before using the system. If binary packagers do not issue a similar warning you should take that up with them.

system · September 1, 2011, 3:31pm

I can’t believe it.
This security hole exists since 2 years now and you don’t think about changing the default?

If have installed from a package and in the past compiled by my self, but never recogniced a security warning.
I searches the documentation of 1.6.2.10 und 1.6.2.16 for allow guest and find no hint.
I now looked at asterisk.org/security and find no hint

But I don’t want to discuss about documentation.
I am really frightened, the you leave doors open for abuse.

Asterisk have 80 configuration files. Most of them are never opened by your users.
I am sure, most users do not know that there is an backdoor in the default iax and sip configuraion

The Problem is, that these Backdors directly goes to the default extension and inside the sample it is recommanded to put an Dial to an Sip Provider in the default extension.

How ever, me cost this backdoor 800€ (after only 50 Minutes abuse). I read that also other where abued in the past.
Why do you not understand, that backdoors are a really big security issue?

You can’t assume, that every body reads your security documentation and even if he read, understand that issue.
For foreign people, like me, it is quite exhausting to read english dokuments.

regards

Ralf

david55 · September 1, 2011, 3:43pm

This is a peer support forum, so “you” is not the Asterisk developers.

As the commentary on the issue and, I suspect, the reviewboard entry, indicate, there has been thought.

From secure.tex

[quote]First and foremost remember this:

USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY
INCOMING CONNECTIONS.

…

In particular, never ever put outgoing toll services in the “default” context. [/quote]

From the Makefile:

@echo " +---- Asterisk Installation Complete -------+" @echo " + +" @echo " + YOU MUST READ THE SECURITY DOCUMENT +" @echo " + +" @echo " + Asterisk has successfully been installed. +"

abw1oim · September 1, 2011, 5:49pm

One addition to david55:

It is - if the user reads the security instructions or follows instructions on several forums like this one in english or other ones available in russian, german and other languages - not a “backhole” but a principle of VOIP-connections and VOIP-services to allow incoming traffic to the PABX from non-registered users (guests). The idea behind is, that someone should be able to reach You directly Peer2Peer over the net instead of using PSTN-connections - look after ENUM for this.
And that’s why asterisk - as other Soft-PABXes too - set the defaults in a way enabling this kind of communication.
And You’re right: As a PABX like asterisk offers a lot of functions and configuration options as well it’s not easy for a beginner to start with, but therefore the gave You the hint david55 posted and You’ll even find beside the mentioned forums a lot of literature available in several languages (not only english) guiding You on Your way to built up a PABX as functional as well as secure.

david55 · September 1, 2011, 5:57pm

I think it isn’t widely appreciated that SIP is a peer to peer protocol and it is only the need to interface to existing PSTN users, and possibly the human nature thing of trying to make the new technology work like the old, that has resulted in most people using it through a “SIP provider”.

(SMTP email is also like that, although nowadays, if you try and to it to one of the mass market email providers, you will get flagged as a potential spammer. SIP is real time, not store and forward, so the part time connection argument for IMAP and POP doesn’t apply to SIP.)

(Asterisk does impose something of an old technology view, as it is a back to back UA, blocking the domain part, and which is easiest to use with numeric addresses.)