Olle E. Johansson a écrit : > 27 jan 2010 kl. 11.47 skrev Administrator TOOTAI: > > >> Hi, >> >> we had an attack on a server and we don't understand how it was >> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, >> network 188.161.128.0/18 >> >> Hacked account had following setup: >> >> [111] >> type=friend >> username=111 >> context=from-111 >> host=11.22.33.44 >> dtmfmode=auto >> qualify=yes >> nat=yes >> canreinvite=no >> defaultip=11.22.33.44 >> port=35060 >> disallow=all >> allow=ulaw,alaw >> call-limit=2 >> >> Despite this, I saw in my logs that someone hacked this account and >> could place calls! in logs we have: >> >> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to >> register, but not configured as host=dynamic >> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from >> '<sip:1...@ourasteriskip>' failed for '188.161.152.245' - Peer is not >> supposed to register >> [Jan 27 04:00:18] VERBOSE[30669] logger.c: -- Executing >> [972599400...@from-111:1] NoOp("SIP/111-000016eb", "Incoming call from >> AAAA") in new stack >> >> As you see 111 could place a call even having not registered, which he >> is not supposed to do. >> >> How is this possible? >> > [...] > > type=friend creates two objects in your asterisk server, one peer and one > user. Asterisk primarily match the user objects for incoming calls on the > From: username. In this case, you have 111 as the username (regardless of the > "username" field which is not the username btw). You have no secret defined, > so anyone placing a call from a URI that has 111 as the username part will be > able to use your server. Calling from sip:1...@asterisk.org as well as > sip:1...@mydomain.com will work without authentication - from any IP address > out there. Very poor security indeed. > > 1) Add a secret. > 2) Add ACL rules (permit/deny) to restrict IP address access > 3) Change to type=peer and we'll only match on IP for incoming calls. I still > recommend using authentication. > So the fact that host is setted to an IP doesn't matter in case of type=friend. Didn't notice that, thanks for the explanation. > [..] Make sure you read this and act upon it! > Sure, already done.
Thanks for your answer. -- Daniel -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users