Sip vicious

Steve76 · March 5, 2010, 7:49pm

Hi,

I had my phone ringing today, with the caller ID SIP VICIOUS
I had a look on google and this is pretty much scary !!
a Sip Hacker ???
Is there a way to fight this Spam …hacker… ?

Thanks

ianplain · March 5, 2010, 8:16pm

iptables or hardware firewall

make sure that you use acls etc.

basicly the usual security rules apply

Ian

Steve76 · March 5, 2010, 9:29pm

hi,

But what can we do ?
I had a look on you tube, apparently. the system can hack password !!!
The * server is behind a NAT at the moment, with firewall on the router…
Honestly, I don’t know what the iptables can give me more… !!!

If sip vicious can detect passowrd… sounds to be hard to protect, unless we can have phones with SSL ( and I don’t )

Is there anybody with more info on how sip vicious operate ?

Ta.

ianplain · March 5, 2010, 11:51pm

Hi

blogs.digium.com/2009/03/28/sip-security/

AFAIK sip vicious can guess your password I dont think it knows it,

Ian

EdIII · March 6, 2010, 3:43am

Welll…

Do you have SIP phones at remote locations hitting the * server through your firewall?
Do you have SIP providers you are registering to?

If you just have SIP providers you are connecting to isolate the SIP traffic on your firewall to a few IP address blocks.

As for phones on the outside that need to connect through the firewall, presumably because NAT support for SIP/* sucks beyond all reason, isolate all of the SIP traffic to be the current IP addresses of your remote SIP phones.

Or you could use a VPN… that seems to be how a lot of people do it.

You could get the current IP addresses of the phones by making a very simple secured website and have your users just log into it. The remote IP address is easily accessible in this fashion. Update your iptables with the new information and remove stale records after 48 hours. Most mobile users will only be inconvenienced in a minor fashion for the first few minutes setting up, it gives the suits the impression your on top of the security considerations, and makes your life a heck of a lot easier.

Once you effectively have a white list of IP addresses capable of even reaching the * server it makes compromising your setup many, many, orders more difficult for the would be hacker.

I mean seriously… do you expect IP addresses from other countries being authorized by your secured website? Probably not. Which is the only way some low-life is going to begin his journey hacking your * from someplace like France, Romania, or China. Of course he would have to know that is the function of the website in the first place.

Other than that…

Never use the defaults in * for anything. I just wipe out the conf files and start from scratch.
NEVER use the numeric extension in your SIP.CONF file to define your extensions. Use a random 10 character string and the numeric extension separated by a hyphen. A few simple macros and variable manipulation and it will work out alright in the dialplan.
NEVER allow International dialing through the dialplan. Ever. Write yourself some AGI scripts and limit calling to specific extensions that are allowed by policy and protect yourself with some PIN codes.
15-20 random characters for your SIP passwords. Use a generator. If you use Realtime SIP you can have the database create them for you, update them nightly, and run cron job to write out all your configuration files for the phones each night before they do their tFTP updates. Which is of course the secure encrypted versions otherwise…

It takes a little bit of work but you can lock down your * server TIGHT and you don’t have to worry as much about those programs like SIP Vicious sniffing around. If they never get a response from your * server in the first place they are going to move on.

P.S - All of this does not mean jack diddly poop if you have SSH open to your * from the outside with a weak password.