I’m having an issue with unauthenticated callers using my system. You could say i’m being “hacked” a bit. I am seeing calls being placed by one of my SIP peers but I don’t have any phones registered to that peer. Somehow they are setting their URI as ‘mysippeer’@‘myasteriskbox’.com and are able to make a call as that peer to anything in my dial plan.
Can someone help me figure out how to set something that specifies you must be a registered, valid SIP peer in order to make a call? I do not want any unauthenticated callers using the system.
First of all, first-aid fire-fighting is required.
Disconnect that peer and isolate it to a private context if you can. Hell, even if you need it, you don’t want people abusing your VoIP system. Give them a universal extension that only plays back Crazy Frog or Hamster Dance regardless of what they call. They’ll soon realise that you’re onto them.
As a secondary line of defence, change all of your passwords. Even ones that have not been compromised. If they’ve gotten this far into your system, who knows how much further they’ve gotten in?
I’ve just written a guide on here to use OpenVPN as an Asterisk connection for remote servers. The URL is here and it works perfectly for me but it may not be suitable, or even an option, for you.
I’ve been recommended to use Fail2Ban and it seems to be working very well but I’m looking at more hard-line levels of defence since I’ve found that my server is being attacked on a regular basis (on SSH, e-mail and Asterisk). I’m seriously considering banning massive blocks of IP addresses that stem from Russia, India and China since I have no business over there.
I hope you get your system sorted out but if you take a leaf out of my book, take this one: “Don’t take a chance on security and assume every compromise is a complete compromise!”
If you use Debian (like I do) then a quick reinstall of everything is very easy to achieve to avoid rootkits. Use Synaptic and Shift-L to select all installed packages followed by “G” (I think) to “go” and reinstall everything. I’m completely paranoid when it comes to security so this might explain the over-the-top response, but you can never be too careful…
You may also want to make sure that allowguest is set to no in sip.conf