Security Issue - Asterisk 11

KingsleyHill · April 1, 2013, 7:23pm

I have a test Asterisk 11 server that has live access to PSTN termination providers (trunks). About a week ago I noticed that periodically one of the extensions would show as registered even though as a test server the correct device never would have registered to this server (the sip.conf is the same as for my production server). Then I noticed that calls started originating through this extension and going to the termination provider (costing $$). I changed the passwords on the extensions to something unguessable (15 random alphanums and punct) yet the b($#%^)rds still are registering and making calls. The extensions are type=peer. Authname is not used. guests are disallowed (allowguest= no). AlwaysAuthReject = yes. I have firewall rules that block repeated attempts to access the SIP ports and DenyHosts to otherwise protect the server.

The server itself is secure. It is a virtual machine with only one purpose and there are no other signs of breach.

How are they registering and making calls through these extensions despite having secure passwords and disallowing calls without registration? Am I missing something?

david55 · April 1, 2013, 9:15pm

I don’t know how, but if I did, I wouldn’t give the answer to a question like this, as it could well be from someone wanting a way to hack an Asterisk system.

I would suggest looking at the security log.

This is the wrong forum.

KingsleyHill · April 1, 2013, 10:18pm

[quote=“david55”]I don’t know how, but if I did, I wouldn’t give the answer to a question like this, as it could well be from someone wanting a way to hack an Asterisk system.

I would suggest looking at the security log.

This is the wrong forum.[/quote]

What would you suggest as the RIGHT forum?

david55 · April 2, 2013, 7:07am

The right forum would be one of those containing “Support” in their name. However, I hope that you wouldn’t get an answer there, either.

If you can prove that this is happening, you need to submit a private bug report on issues.asterisk.org. If they are actually succeeding with the wrong credentials, the report will need to include the correct credentials, which you should change after making the report.

You will need verbose and debug level 5 logging and sip set debug on output, and a copy of your sip.conf.