Olle E. Johansson a écrit :
> 27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:
>
>
>> Hi,
>>
>> we had an attack on a server and we don't understand how it was
>> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL,
>> network 188.161.128.0/18
>>
>> Hacked account had following setup:
>>
>> [111]
>> type=friend
>> username=111
>> context=from-111
>> host=11.22.33.44
>> dtmfmode=auto
>> qualify=yes
>> nat=yes
>> canreinvite=no
>> defaultip=11.22.33.44
>> port=35060
>> disallow=all
>> allow=ulaw,alaw
>> call-limit=2
>>
>> Despite this, I saw in my logs that someone hacked this account and
>> could place calls! in logs we have:
>>
>> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to
>> register, but not configured as host=dynamic
>> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from
>> '<sip:1...@ourasteriskip>' failed for '188.161.152.245' - Peer is not
>> supposed to register
>> [Jan 27 04:00:18] VERBOSE[30669] logger.c: -- Executing
>> [972599400...@from-111:1] NoOp("SIP/111-000016eb", "Incoming call from
>> AAAA") in new stack
>>
>> As you see 111 could place a call even having not registered, which he
>> is not supposed to do.
>>
>> How is this possible?
>>
> [...]
>
> type=friend creates two objects in your asterisk server, one peer and one
> user. Asterisk primarily match the user objects for incoming calls on the
> From: username. In this case, you have 111 as the username (regardless of the
> "username" field which is not the username btw). You have no secret defined,
> so anyone placing a call from a URI that has 111 as the username part will be
> able to use your server. Calling from sip:1...@asterisk.org as well as
> sip:1...@mydomain.com will work without authentication - from any IP address
> out there. Very poor security indeed.
>
> 1) Add a secret.
> 2) Add ACL rules (permit/deny) to restrict IP address access
> 3) Change to type=peer and we'll only match on IP for incoming calls. I still
> recommend using authentication.
>
So the fact that host is setted to an IP doesn't matter in case of
type=friend. Didn't notice that, thanks for the explanation.
> [..] Make sure you read this and act upon it!
>
Sure, already done.
Thanks for your answer.
--
Daniel
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
