[SIP] Someone make call without auth

Hi!

I have a big problem with asterisk. Some days ago i have installed asterisk on my vps ( fortunately without any exit trunk). Today, when i open the log i see something that i don’t understand:

[Aug 10 12:55:20] VERBOSE[17544] loader.c:  pbx_config.so => (Text Extension Configuration)
[Aug 10 12:55:20] VERBOSE[17544] pbx.c:   == Registered application 'Exec'
[Aug 10 12:55:20] VERBOSE[17544] pbx.c:   == Registered application 'TryExec'
[Aug 10 12:55:20] VERBOSE[17544] pbx.c:   == Registered application 'ExecIf'
[Aug 10 12:55:20] VERBOSE[17544] loader.c:  app_exec.so => (Executes dialplan applications)
[Aug 10 12:55:20] VERBOSE[17544] config.c:   == Parsing '/etc/asterisk/cli_permissions.conf': [Aug 10 12:55:20] VERBOSE[17544] config.c:   == Found
[Aug 10 12:55:20] VERBOSE[17544] asterisk.c: Asterisk Ready.
[Aug 10 12:55:20] VERBOSE[17544] config.c:   == Parsing '/etc/asterisk/cli.conf': [Aug 10 12:55:20] VERBOSE[17544] config.c:   == Found
[Aug 10 12:55:21] VERBOSE[17559] asterisk.c:     -- Remote UNIX connection disconnected
[Aug 10 12:56:50] VERBOSE[17576] netsock.c:   == Using SIP RTP CoS mark 5
[Aug 10 12:56:50] VERBOSE[17962] pbx.c:     -- Executing [00972592113512@default:1] Answer("SIP/VPS_IP-00000000", "") in new stack
[Aug 10 12:56:50] VERBOSE[17962] pbx.c:   == Spawn extension (default, 00972592113512, 1) exited non-zero on 'SIP/VPS_IP-00000000'
[Aug 10 12:56:50] VERBOSE[17962] pbx.c:     -- Executing [h@default:1] Answer("SIP/VPS_IP-00000000", "") in new stack
[Aug 10 12:56:50] VERBOSE[17962] pbx.c:   == Spawn extension (default, h, 1) exited non-zero on 'SIP/VPS_IP-00000000'
[Aug 10 12:56:50] VERBOSE[17576] netsock.c:   == Using SIP RTP CoS mark 5
[Aug 10 12:56:50] VERBOSE[17963] pbx.c:     -- Executing [000972592113512@default:1] Answer("SIP/VPS_IP-00000001", "") in new stack
[Aug 10 12:56:51] VERBOSE[17963] pbx.c:   == Spawn extension (default, 000972592113512, 1) exited non-zero on 'SIP/VPS_IP-00000001'
[Aug 10 12:56:51] VERBOSE[17963] pbx.c:     -- Executing [h@default:1] Answer("SIP/VPS_IP-00000001", "") in new stack
[Aug 10 12:56:51] VERBOSE[17963] pbx.c:   == Spawn extension (default, h, 1) exited non-zero on 'SIP/VPS_IP-00000001'
[Aug 10 12:56:51] VERBOSE[17576] netsock.c:   == Using SIP RTP CoS mark 5
[Aug 10 12:56:51] VERBOSE[17992] pbx.c:     -- Executing [900972592113512@default:1] Answer("SIP/VPS_IP-00000002", "") in new stack
[Aug 10 12:56:52] VERBOSE[17992] pbx.c:   == Spawn extension (default, 900972592113512, 1) exited non-zero on 'SIP/VPS_IP-00000002'
[Aug 10 12:56:52] VERBOSE[17992] pbx.c:     -- Executing [h@default:1] Answer("SIP/VPS_IP-00000002", "") in new stack
[Aug 10 12:56:52] VERBOSE[17992] pbx.c:   == Spawn extension (default, h, 1) exited non-zero on 'SIP/VPS_IP-00000002'
[Aug 10 12:56:53] VERBOSE[17576] netsock.c:   == Using SIP RTP CoS mark 5
[Aug 10 12:56:53] VERBOSE[17994] pbx.c:     -- Executing [700972592113512@default:1] Answer("SIP/VPS_IP-00000003", "") in new stack
[Aug 10 12:56:53] VERBOSE[17994] pbx.c:   == Spawn extension (default, 700972592113512, 1) exited non-zero on 'SIP/VPS_IP-00000003'
[Aug 10 12:56:53] VERBOSE[17994] pbx.c:     -- Executing [h@default:1] Answer("SIP/VPS_IP-00000003", "") in new stack
[Aug 10 12:56:53] VERBOSE[17994] pbx.c:   == Spawn extension (default, h, 1) exited non-zero on 'SIP/VPS_IP-00000003'

I have no peers or friends in my sip.conf. I don’t know how but someone make call through my asterisk.

Asterisk version is :

vps*CLI> core show version 
Asterisk 1.6.2.9-2+squeeze10 built by pbuilder @ sweetmorn on a x86_64 running Linux on 2013-01-14 18:32:21 UTC

Also i don’t understand why the source channel is SIP/VPS_IP when VPS_IP is the public ip address of the server

sip.conf


[general]
context=default                 ; Default context for incoming calls
                                ; 'username' field from the authentication line
                                ; instead of the From: field.
allowoverlap=no                 ; Disable overlap dialing support. (Default is yes)
                                ; Default is enabled. The Dial() options 't' and 'T' are not
                                ; related as to whether SIP transfers are allowed or not.
                                ; defaults to "asterisk". If you set a system name in
                                ; asterisk.conf, it defaults to that system name
                                ; Realms MUST be globally unique according to RFC 3261
                                ; Set this to your host name or domain name
udpbindaddr=0.0.0.0             ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
                                ; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)

tcpenable=no                    ; Enable server for incoming TCP connections (default is no)
tcpbindaddr=0.0.0.0             ; IP address for TCP server to bind to (0.0.0.0 binds to all interfaces)
                                ; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)

                                ; Optionally add a port number, 192.168.1.1:5063 (default is port 5061)
                                ; Remember that the IP address must match the common name (hostname) in the
                                ; certificate, so you don't want to bind a TLS socket to multiple IP addresses.
                                ; For details how to construct a certificate for SIP see 
                                ; http://tools.ietf.org/html/draft-ietf-sip-domain-certs

                                ; default is to look for "asterisk.pem" in current directory





				; of seconds a client has to authenticate.  If
				; the client does not authenticate beofre this
				; timeout expires, the client will be
                                ; disconnected. (default: 30 seconds)

				; unauthenticated sessions that will be allowed
                                ; to connect at any given time. (default: 100)

srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
                                ; Note: Asterisk only uses the first host 
                                ; in SRV records
                                ; Disabling DNS SRV lookups disables the 
                                ; ability to place SIP calls based on domain 
                                ; names to some other SIP users on the Internet
                                ; Specifying a port in a SIP peer definition or
                                ; when dialing outbound calls will supress SRV
                                ; lookups for that peer or call.

                                ; international character conversions in URIs
                                ; and multiline formatted headers for strict
                                ; SIP compatibility (defaults to "no")



                                ; and subscriptions (seconds)
                                ; host to be up in seconds
                                ; Set to low value if you use low timeout for
                                ; NAT of UDP sessions
                                ; fully. Enable this option to not get error messages
                                ; when sending MWI to phones with this bug.
                                ; Message-Account in the MWI notify message 
                                ; defaults to "asterisk"
                                ; This may also be set for individual users/peers
                                ; Parkinglots are configured in features.conf
                                ; This may also be set for individual users/peers
				; the call is in ringing or progress state. The SIP 
				; channel will then send 183 indicating early media
				; which will be empty - thus users get no ring signal.
				; Setting this to "no" will stop any media before we have
				; call progress. Default is "yes".

                                ; use 'never' to never use in-band signalling, even in cases
                                ; where some buggy devices might not render it
                                ; Valid values: yes, no, never Default: never
                                ; The default user agent string also contains the Asterisk
                                ; version. If you don't want to expose this, change the
                                ; useragent string.
                                ; Like the useragent parameter, the default user agent string
                                ; also contains the Asterisk version.
                                ; This field MUST NOT contain spaces
                                ; Note that promiscredir when redirects are made to the
                                ; local system will cause loops since Asterisk is incapable
                                ; of performing a "hairpin" call.
                                ; a valid phone number
                                ; Other options: 
                                ; info : SIP INFO messages (application/dtmf-relay)
                                ; shortinfo : SIP INFO messages (application/dtmf)
                                ; inband : Inband audio (requires 64 kbit codec -alaw, ulaw)
                                ; auto : Use rfc2833 if offered, inband otherwise

                                ; on in this section to get any video support at all.
                                ; You can turn it off on a per peer basis if the general
                                ; video support is enabled, but you can't enable it for
                                ; one peer only without enabling in the general section.
                                ; If you set videosupport to "always", then RTP ports will
                                ; always be set up for video, even on clients that don't
                                ; support it.  This assists callfile-derived calls and
                                ; certain transferred calls to use always use video when
                                ; available. [yes|NO|always]

                                ; Videosupport and maxcallbitrate is settable
                                ; for peers and users as well
                                ; performs events (e.g. hold)
                                ; authenticate with Asterisk. Peerstatus will be "rejected".
                                ; for any reason, always reject with an identical response
                                ; equivalent to valid username and invalid password/hash
                                ; instead of letting the requester know whether there was
                                ; a matching user or peer for their request.  This reduces
                                ; the ability of an attacker to scan for valid SIP usernames.

                                ; order instead of RFC3551 packing order (this is required
                                ; for Sipura and Grandstream ATAs, among others). This is
                                ; contrary to the RFC3551 specification, the peer _should_
                                ; be negotiating AAL2-G726-32 instead :-(
                                ; your localnet setting. Unless you have some sort of strange network
                                ; setup you will not need to enable this.

                                ; as any IP address used for staticly defined
                                ; hosts.  This helps avoid the configuration
                                ; error of allowing your users to register at
                                ; the same address as a SIP provider.

                                       ; register their phones.


                                ; If you have qualify on and the peer becomes unreachable
                                ; this setting will enforce inactivation of the regexten
                                ; extension for the peer
                                ; Defaults to 100 ms
                                ; Defaults to 500 ms or the measured round-trip
                                ; time to a peer (qualify=yes).
                                ; in this amount of time, the call will autocongest
                                ; Defaults to 64*timert1

                                ; on the audio channel
                                ; when we're not on hold. This is to be able to hangup
                                ; a call in the case of a phone disappearing from the net,
                                ; like a powerloss or grandma tripping over a cable.
                                ; on the audio channel
                                ; when we're on hold (must be > rtptimeout)
                                ; (default is off - zero)


                                ; the moment the channel loads this configuration
                                ; (see sip history / sip no history)
                                ; SIP history is output to the DEBUG logging channel


                                ; Useful to limit subscriptions to local extensions
                                ; Settable per peer/user also
                                ; RINGING when another call is sent (default: yes)
                                ; Turning on notifyringing and notifyhold will add a lot
                                ; more database transactions if you are using realtime.
                                ; dialog-info+xml notifications (supported by snom phones).
                                ; Note that this feature will only work properly when the
                                ; incoming call is using the same extension and context that
                                ; is being used as the hint for the called extension.  This means
                                ; that it won't work when using subscribecontext for your sip
                                ; user or peer (if subscribecontext is different than context).
                                ; This is also limited to a single caller, meaning that if an
                                ; extension is ringing because multiple calls are incoming,
                                ; only one will be used as the source of caller ID.  Specify
                                ; 'ignore-context' to ignore the called context when looking
                                ; for the caller's channel.  The default value is 'no.' Setting
                                ; notifycid to 'ignore-context' also causes call-pickups attempted
                                ; via SNOM's NOTIFY mechanism to set the context for the call pickup
                                ; to PICKUPMARK.
                                ; device too.


                                ; 0 = continue forever, hammering the other server
                                ; until it accepts the registration
                                ; Default is 0 tries, continue forever

                                ; RTP media stream to go directly from
                                ; the caller to the callee.  Some devices do not
                                ; support this (especially if one of them is behind a NAT).
                                ; The default setting is YES. If you have all clients
                                ; behind a NAT, or for some other reason want Asterisk to
                                ; stay in the audio path, you may want to turn this off.

                                ; This setting also affect direct RTP
                                ; at call setup (a new feature in 1.4 - setting up the
                                ; call directly between the endpoints instead of sending
                                ; a re-INVITE).

                                ; the call directly with media peer-2-peer without re-invites.
                                ; Will not work for video and cases where the callee sends 
                                ; RTP payloads and fmtp headers in the 200 OK that does not match the
                                ; callers INVITE. This will also fail if directmedia is enabled when
                                ; the device is actually behind NAT.

                                ; Additionally this option does not disable all reINVITE operations.
                                ; It only controls Asterisk generating reINVITEs for the specific
                                ; purpose of setting up a direct media path. If a reINVITE is
                                ; needed to switch a media stream to inactive (when placed on
                                ; hold) or to T.38, it will still be done, regardless of this 
                                ; setting. Note that direct T.38 is not supported.

                                ; (reinvite) but only when the peer where the media is being
                                ; sent is known to not be behind a NAT (as the RTP core can
                                ; determine it based on the apparent IP address the media
                                ; arrives from).

                                ; instead of INVITE. This can be combined with 'nonat', as
                                ; 'directmedia=update,nonat'. It implies 'yes'.

                                ; number in SDP packets and will only modify the SDP
                                ; session if the version number changes. This option will
                                ; force asterisk to ignore the SDP session version number
                                ; and treat all SDP data as new data.  This is required
                                ; for devices that send us non standard SDP packets
                                ; (observed with Microsoft OCS). By default this option is
                                ; off.

                                ; just like friends added from the config file only on a
                                ; as-needed basis? (yes|no)

                                ; Default= no

                                ; If set to yes, when a SIP UA registers successfully, the ip address,
                                ; the origination port, the registration period, and the username of
                                ; the UA will be set to database via realtime. 
                                ; If not present, defaults to 'yes'. Note: realtime peers will
                                ; probably not function across reloads in the way that you expect, if
                                ; you turn this option off.
                                ; as if it had just registered? (yes|no|<seconds>)
                                ; If set to yes, when the registration expires, the friend will
                                ; vanish from the configuration until requested again. If set
                                ; to an integer, friends expire within this number of seconds
                                ; instead of the registration interval.

                                ;
                                ; For non-realtime peers, when their registration expires, the
                                ; information will _not_ be removed from memory or the Asterisk database
                                ; if you attempt to place a call to the peer, the existing information
                                ; will be used in spite of it having expired
                                ;
                                ; For realtime peers, when the peer is retrieved from realtime storage,
                                ; the registration information will be used regardless of whether
                                ; it has expired or not; if it expires while the realtime peer 
                                ; is still in memory (due to caching or other reasons), the 
                                ; information will not be removed from realtime storage


                                ; Add domain and configure incoming context
                                ; for external calls to this domain
                                ; You can have several "domain" settings
                                ; Default is yes
                                ; name and local IP to domain list.

                                ; non-peers, use your primary domain "identity"
                                ; for From: headers instead of just your IP
                                ; address. This is to be polite and
                                ; it may be a mandatory requirement for some
                                ; destinations which do not have a prior
                                ; account relationship with your server. 

                              ; SIP channel. Defaults to "no". An enabled jitterbuffer will
                              ; be used only if the sending side can create and the receiving
                              ; side can not accept jitter. The SIP channel can accept jitter,
                              ; thus a jitterbuffer on the receive SIP side will be used only
                              ; if it is forced and enabled.

                              ; channel. Defaults to "no".


                              ; resynchronized. Useful to improve the quality of the voice, with
                              ; big jumps in/broken timestamps, usually sent from exotic devices
                              ; and programs. Defaults to 1000.

                              ; channel. Two implementations are currently available - "fixed"
                              ; (with size always equals to jbmaxsize) and "adaptive" (with
                              ; variable size, actually the new jb of IAX2). Defaults to fixed.

                              ; The option represents the number of milliseconds by which the new jitter buffer
                              ; will pad its size. the default is 40, so without modification, the new
                              ; jitter buffer will set its size to the jitter value plus 40 milliseconds.
                              ; increasing this value may help if your network normally has low jitter,
                              ; but occasionally has spikes.


[authentication]




                                  ; Also used as "defaultport" in combination with "defaultip" settings



[basic-options](!)                ; a template
        dtmfmode=rfc2833
        context=from-office
        type=friend

[natted-phone](!,basic-options)   ; another template inheriting basic-options
        nat=yes
        directmedia=no
        host=dynamic

[public-phone](!,basic-options)   ; another template inheriting basic-options
        nat=no
        directmedia=yes

[my-codecs](!)                    ; a template for my preferred codecs
        disallow=all
        allow=ilbc
        allow=g729
        allow=gsm
        allow=g723
        allow=ulaw

[ulaw-phone](!)                   ; and another one for ulaw-only
        disallow=all
        allow=ulaw


                                 ; on incoming calls to Asterisk
                                 ; No registration allowed
                                 ; from the phone to asterisk (deprecated)
                                 ; 1 for the explicit peer, 1 for the explicit user,
                                 ; remember that a friend equals 1 peer and 1 user in
                                 ; memory
                                 ; There is no combined call counter for a "friend"
                                 ; so there's currently no way in sip.conf to limit
                                 ; to one inbound or outbound call per phone. Use
                                 ; the group counters in the dial plan for that.
                                 ;
                                 ; listed with allow= does NOT matter!
                                 ; See README.callingpres for more information


                                 ; subscribes for mailbox notification
                                 ; sets the Message-Account in the MWI notify message
                                 ; defaults to global vmexten which defaults to "asterisk"


                                 ; Normally you do NOT need to set this parameter


                                 ; matching port number
                                 ; Helps with NAT session
                                 ; qualify=yes uses default value
                                 ; host to be up in seconds
                                 ; Set to low value if you use low timeout for
                                 ; NAT of UDP sessions

                                 ; Send SIP and RTP to the IP address that packet is 
                                 ; received from instead of trusting SIP headers 
                                 ; RTP media stream (audio) to go directly from
                                 ; the caller to the callee.  Some devices do not
                                 ; support this (especially if one of them is 
                                 ; behind a NAT).
                                 ; Normally you do NOT need to set this parameter
                                                ; cause the given audio file to
                                                ; be played upon completion of
                                                ; an attended transfer.

                                ; You must have this turned on or DTMF reception will work improperly.
                                ; if the nat option is enabled. If a single RTP packet is received Asterisk will know the
                                ; external IP address of the remote device. If port forwarding is done at the client side
                                ; then UDPTL will flow to the remote device.

users.conf

[general]
fullname = New User
userbase = 6000
hasvoicemail = yes
vmsecret = 1234
hassip = yes
hasiax = yes
hasmanager = no
callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
callgroup = 1
pickupgroup = 1

Someone need to read the best practices txt attached to the source code and google about asterisk security.

Install and don’t protect your cloud PBX is like when you go on vacation and leave your house’s door open.

This article could be useful too