Re: [asterisk-users] How to stop intruder from registering sip?
On Wed, Jun 30, 2010 at 11:50:49PM -0500, Tilghman Lesher wrote: On Wednesday 30 June 2010 18:38:51 Steve Edwards wrote: On Sun, 13 Jun 2010, Tilghman Lesher wrote: I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Aside from being 8 characters longer, why do you prefer sha1sum to md5sum? The use of MD5 is gradually being displaced, as crypto attacks are getting better. Since SHA1 is usually the replacement, I went with it, since it's also likely to be available on systems. While SHA1 will eventually succumb to the same attacks as MD5, due to its larger bitstrength, it has quite a few years left in it, before we need to start thinking about SHA256 or SHA512 to replace it. So, assuming I can relatively easily come up with another phrase that gives the same md5sum as the one of '101This is a salt', what does it help me with breaking the next extension? I prefer shorter names. An md5 checksum is too long as-is. Maybe simply get the first 8 characters from it and hope they are unique. For a small sample size (I suspect even a few 1000-s here would be small enough) I would not expect any collisions. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
Also, technically your 101This is a salt is stronger than your SHA1 Hash. Let's say you stick with the 17 character password You are using 0-9, a-z, A-Z, and space. 0-9 = 10 a-z = 26 A-Z = 26 Space = 1 Total Possible Values = 63 17^63 = 3.2982384238829760312713680399948e+77 Your sha1 is using 0-9, a-f 0-9 = 10 a-f = 6 40^16 = 4294967296 Your best defense would be: 1) don't use the extension # as the username 2) don't use any form of word out of any dictionary for user or password 3) try to make username/password as long as possible 4) don't use the [default] in the extension.conf (just in case you missed something, and someone gets in somewhere. 5) use fail2ban or some other type of system to block ip's of remote systems that attempt to authenticate more then 5 times in a minute and fail. (less, whatever your feel is sufficient) -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tzafrir Cohen Sent: Thursday, July 01, 2010 5:48 AM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] How to stop intruder from registering sip? On Wed, Jun 30, 2010 at 11:50:49PM -0500, Tilghman Lesher wrote: On Wednesday 30 June 2010 18:38:51 Steve Edwards wrote: On Sun, 13 Jun 2010, Tilghman Lesher wrote: I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Aside from being 8 characters longer, why do you prefer sha1sum to md5sum? The use of MD5 is gradually being displaced, as crypto attacks are getting better. Since SHA1 is usually the replacement, I went with it, since it's also likely to be available on systems. While SHA1 will eventually succumb to the same attacks as MD5, due to its larger bitstrength, it has quite a few years left in it, before we need to start thinking about SHA256 or SHA512 to replace it. So, assuming I can relatively easily come up with another phrase that gives the same md5sum as the one of '101This is a salt', what does it help me with breaking the next extension? I prefer shorter names. An md5 checksum is too long as-is. Maybe simply get the first 8 characters from it and hope they are unique. For a small sample size (I suspect even a few 1000-s here would be small enough) I would not expect any collisions. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Thursday 01 July 2010 07:43:38 William Stillwell (Lists) wrote: Also, technically your 101This is a salt is stronger than your SHA1 Hash. Let's say you stick with the 17 character password You are using 0-9, a-z, A-Z, and space. 0-9 = 10 a-z = 26 A-Z = 26 Space = 1 Total Possible Values = 63 17^63 = 3.2982384238829760312713680399948e+77 Your sha1 is using 0-9, a-f 0-9 = 10 a-f = 6 40^16 = 4294967296 That would only be true if you used random characters in your 17-character passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of randomness per letter, whereas an SHA1sum has no more than 4 bits of randomness per letter. Let's assume the higher number of randomness for your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness. Note that the prefix 3 characters have ZERO randomness per character, as they are deterministic from the extension. That gives an even less 21 bits of randomness. SHA1 cryptographic sums have no more than 160 bits of randomness. I say no more than, because, given knowledge of the algorithm used to determine passwords, the sum is reduced to the number of bits of randomness in the source material. You cannot generate randomness by applying a deterministic algorithm. However, given that the source material for the hash sum is of a smaller bit strength than the comparative strength of the hash algorithm, your difficulty of guessing the password is not reduced any by using the hash algorithm for generative purposes. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Thu, Jul 1, 2010 at 12:53 PM, Tilghman Lesher tles...@digium.com wrote: That would only be true if you used random characters in your 17-character passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of randomness per letter, whereas an SHA1sum has no more than 4 bits of randomness per letter. Let's assume the higher number of randomness for your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness. Note that the prefix 3 characters have ZERO randomness per character, as they are deterministic from the extension. That gives an even less 21 bits of randomness. SHA1 cryptographic sums have no more than 160 bits of randomness. I say no more than, because, given knowledge of the algorithm used to determine passwords, the sum is reduced to the number of bits of randomness in the source material. You cannot generate randomness by applying a deterministic algorithm. However, given that the source material for the hash sum is of a smaller bit strength than the comparative strength of the hash algorithm, your difficulty of guessing the password is not reduced any by using the hash algorithm for generative purposes. With this in mind, I'll be sure to forge my passwords from Chinese text from now on. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
That would only be true if you used random characters in your 17-character passphrase. In fact, English text has somewhere between 0.6 and 1.5 bits of randomness per letter, whereas an SHA1sum has no more than 4 bits of randomness per letter. Let's assume the higher number of randomness for your English text, which gives us 1.5 * 17, which is 25.5 bits of randomness. Note that the prefix 3 characters have ZERO randomness per character, as they are deterministic from the extension. That gives an even less 21 bits of randomness. SHA1 cryptographic sums have no more than 160 bits of randomness. I say no more than, because, given knowledge of the algorithm used to determine passwords, the sum is reduced to the number of bits of randomness in the source material. You cannot generate randomness by applying a deterministic algorithm. However, given that the source material for the hash sum is of a smaller bit strength than the comparative strength of the hash algorithm, your difficulty of guessing the password is not reduced any by using the hash algorithm for generative purposes. Agreed, on all points. Any deterministic method of this sort (e.g. hashing together the extension name with a constant-per-site salt) is vulnerable to a brute-force guessing attack against the salt. If the person who set it up used a ordinary, easily-remembered phrase as the salt, then the security of *all* of the secrets is tied to the guessability of this phrase. Brute-force dictionary attacks against plain-language words and phrases have been quite successful in the past... I've heard it said that on any multi-user system having more than a handful of users, the odds of one of those users having a guessable password are often 50% or better. I'm not in favor of using this sort of deterministic scheme (e.g. HASH(salt + public info)) for determining per-station secrets, no matter which hash algorithm is used. Instead, I recommend the scheme I originally proposed - use a random- number generator (or a cryptographically-string pseudorandom generator, fed with some entropy from an external unpredictable source) to generate individual secrets. I make three arguments: - The resulting secrets (i.e. strings of hexadecimal digits) are equally hard, or equally easy, for the end-users to deal with (assuming that we're talking about equal numbers of digits). Neither scheme has an advantage here. - Once set up, both systems are equally easy to use and administer... press a button and generate a secret. - The random- or pseudo-random method produces secrets which don't depend at all on the extension numbers (or user names, or other public information), are independent from one another, and are essentially immune to dictionary and other guessing attacks. The only way to break them is via a full brute-force search... and successfully finding one extension's secret by brute-force search doesn't help you at all in finding any other extension's. Assuming a good random-number generator, the amount of entropy (randomness) in the secrets is essentially equal to (2 ^ number-of-bits). None of these things is true of a deterministic-hashing scheme... if the salt can be guessed or determined, *every* extension's secret has been broken, and you have to immediately change *every* configuration in order to secure your system. Salts based on dictionary words and phrases have far less randomness in them than their length would imply, and that means that the resulting secrets are less random... generating longer secret strings doesn't fix this, and can simply give a false sense of security. - -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sun, 13 Jun 2010, Tilghman Lesher wrote: I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Aside from being 8 characters longer, why do you prefer sha1sum to md5sum? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Wednesday 30 June 2010 18:38:51 Steve Edwards wrote: On Sun, 13 Jun 2010, Tilghman Lesher wrote: I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Aside from being 8 characters longer, why do you prefer sha1sum to md5sum? The use of MD5 is gradually being displaced, as crypto attacks are getting better. Since SHA1 is usually the replacement, I went with it, since it's also likely to be available on systems. While SHA1 will eventually succumb to the same attacks as MD5, due to its larger bitstrength, it has quite a few years left in it, before we need to start thinking about SHA256 or SHA512 to replace it. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
along with all the previous suggestions.. i found out that fail2ban is a good safe tool to be used along with hard passwords and not using numeric usernames.. for me using A2Billing along with Asterisk was a pain because it needs to create usernames numeric.. so i had to create strong SIP users and passwords then assign a2billing accounts to them to make it safer.. plus the fail2ban .. give it a try. -- Tarek Sawah Integrated Digital Systems CCNA, MCSE, RHCE, VoIP USA: +1 347 562 2308 Date: Sun, 13 Jun 2010 22:28:38 -0700 To: asterisk-users@lists.digium.com From: i...@extrasensory.com Subject: Re: [asterisk-users] How to stop intruder from registering sip? At 01:06 PM 6/13/2010, you wrote: We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. So in your extensions.conf you need lines like: exten = 123,1,dial(SIP/123_thisisAfunnyextension) Well, that should give you the idea. Don't know if it's the best way, but it's worked for me. Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccountocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sun, Jun 13, 2010 at 3:06 PM, sean darcy seandar...@gmail.com wrote: But I'm struck with your notion of having sip user ids different from extensions. That would not require any user effort, or messing with each phone. But... It'd be just as much effort as changing the passwords for each phone. You'll have to modify the SIP USERNAME setting on each phone you want to change the username for, the same as modifying the SIP PASSWORD setting for each phone. I'd recommend changing all of the passwords, modifying them on the phones themselves, and then setting up a fail2ban solution that will ban anyone who has more than 5 failed password attempts in less than a few minutes. You can even leave iptables setup to allow all, and just block the IPs that fail2ban triggers on. In your situation, using a password like , you may not end up with 5 failed password attempts, as that's usually one of the first things the scripts out there will try, so fail2ban will only help you if you up your password security. I've had trouble getting the permit/deny trick to work as an IP filter in the past, so instead I went with an iptables / fail2ban solution, along with difficult to guess passwords. -- Thanks, --Warren Selby http://www.selbytech.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
As I mentioned, I'm not inclined to mess with the secrets, too much hassle for users. I'm afraid that I have to consider that attitude to be a bit like saying It's too much hassle for us to insist that our employees lock their desk drawers and the front door... or wash their hands after going to the bathroom... or cover their mouths when they sneeze. Oh, yeah, we keep the combination to the corporate safe on a yellow sticky-note on the bulletin board, so that anyone who forgets it can figure it out quickly. There are ways to make stronger secrets easier to work with. One method creates secret phrases by concatenating a bunch of randomly-chosen dictionary words. If you have enough such words in the dictionary you can create phrases which have enough randomness to survive brute-force attacks but which aren't too difficult to type in correctly. For example, such a gibberish-generator might output fizzy.basal.nerfy.dogma.colma.flinx It's your choice... but these basic security principles about setting secrets/passwords have the fruits of many peoples' expen$ive experience at the high cost of *not* doing things properly. If the cost of doing things securely is that you have to spend a few minutes of IT-guru time setting up each user's phone or softphone, or need to write a document-generator which prints out step-by-step instructions for each user with the necessary user-name and secret included... it could be a *very* good investment. That's why I'm considering deny/permit. Does that solve my problem? *Only* if you have complete physical control over *every* network on which those phones will be used, *and* all of your employees are completely trustworthy. It's really no solution at all if you need to have road warriors using soft-phones on networks across the world, since you won't be able to deny IP addresses meaningfully in that case. All it would take would be one such employee using a softphone via an insecure network (e.g. open WiFi access point), somebody sniffs the protocol and sees the registration and records the extension number and then does a brute-force secret-guessing attack. Boom. You're out hundreds or thousands of dollars of calling costs before you can react. Scammers can use your SIP system to make calls to premium phone numbers that cost several dollars per minute... and the scammer may well get a portion of this revenue. Big companies have ended up losing tens of thousands of dollars to this sort of attack against their PBX systems. Or, worse... your SIP secrets end up in the hands of a cybergang which starts using your system for criminal activities (e.g. drug-trafficing, making scam calls to homeowners, etc.), and you find your company facing investigation by law enforcement, or your SIP provider cuts you off due to abuse complaints. The secondary cost of either of these to your business could be severe. As Dirty Harry said, How lucky do you feel?. You've already been hit once. But I'm struck with your notion of having sip user ids different from extensions. That would not require any user effort, or messing with each phone. But... We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. By no means - at least, not in the 9133i, and I'd be surprised if the 57i had that requirement. Look in the Administration manual for the 9133i, Appendix A, SIP Basic, Global Settings, SIP Global Authentication. This is where you can set the authentication name and sip password, which are what the phone uses to register with the server (e.g. the SIP user name and secret). Make this name *different* from the extension name, and provide a good secret. You can also set the SIP display name, which is what shows up on the screen, and is sent as the From field in the SIP protocol. You can set this to the user's primary extension number. A bit further down, there are per-line registration fields which do the same thing for individual line-presence buttons... screen name (also used for From:), user name (for SIP registration), password (SIP registration secret). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
The trouble with whitelisting, or using iptables to block 5060 (in fact * is behind a router - 5060 is port forwarded) is that traveling employees wouldn't be able to register with inbound extensions. We set up our travelers so they can connect from wherever, and be treated as if they were at a local extension. That is, the employee can dial 151, or be dialed at his extension. He can not however dial third parties, or at least isn't supposed to. sean If you leave your asterisk box open to the world with passwords like you deserve to be hacked.. Are your travelling people using softphones? If they are VPN would be a good idea.. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
If you leave your asterisk box open to the world with passwords like you deserve to be hacked.. Well, without making a moral judgment, I will agree that you are *going* to be hacked if you do this! The O.P. seems to have made two (fairly common) mistakes: - Used a secret so obvious that it could be guessed... and even if not, so short that it could have been determined by a very simple brute-force attack. - Used the user's extension number as the SIP user ID... and thus making it easy to figure out which user IDs on which a password attack could be carried out. Doing a brute-force SIP-registration attack against all possible 3- and 4-digit extensions, using a handful of obvious secret strings ( through , 1234, 4321, same number as the extension) wouldn't take an attacker very long at all. Nor would trying to call all of these numbers once to figure out which extensions exist, then doing a brute-force password attack against those which exist. I have no doubt that there are numerous crackers out on the net doing just these sorts of attacks on a regular basis. The cure for these problems is, obviously, don't do that: (1) SIP user IDs should not be based on the extension number, and preferably should not be based on the owner's name or user login. Make 'em hard to guess or brute-force! (2) Make the secrets equally hard to guess or brute-force. No short strings of numbers, no dictionary words or simple leet-speak transforms of them, etc. One of your best tools is a program or script to generate random sequences of letters and digits and other legal- in-SIP-names characters. Try something like dd if=/dev/urandom bs=512 count=1 | base64 and then copy some 10- or 12-character substrings out of this mass of gibberish and use 'em for SIP secrets. With this many bits of randomness in the secrets, they'll be effectively invulnerable to guessing or brute force attacks. Are your travelling people using softphones? If they are VPN would be a good idea.. A very good idea, and not just for security reasons. Running SIP over a VPN tunnel can be a very effective remedy for all sorts of firewall- and NAT-related problems. I've found that running OpenVPN between my various SIP clients, and my Asterisk server, produces far better results than depending on STUN or on SIP-aware routers and firewalls. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sun, Jun 13, 2010 at 10:59:43AM -0700, Dave Platt wrote: The O.P. seems to have made two (fairly common) mistakes: [snip] - Used the user's extension number as the SIP user ID... and thus making it easy to figure out which user IDs on which a password attack could be carried out. Sadly this is something that FreePBX (and probably other systems) force you to do. One other minor nit: One of your best tools is a program or script to generate random sequences of letters and digits and other legal- in-SIP-names characters. Try something like dd if=/dev/urandom bs=512 count=1 | base64 and then copy some 10- or 12-character substrings out of this mass of gibberish and use 'em for SIP secrets. With this many bits of randomness in the secrets, they'll be effectively invulnerable to guessing or brute force attacks. Ahem. If you only want that many characters, just get less random bits. This will get you 128 (16 * 8) [pseudo?]random bits: head /dev/urandom -c 16 | base64 -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sunday 13 June 2010 13:46:36 Tzafrir Cohen wrote: On Sun, Jun 13, 2010 at 10:59:43AM -0700, Dave Platt wrote: The O.P. seems to have made two (fairly common) mistakes: [snip] - Used the user's extension number as the SIP user ID... and thus making it easy to figure out which user IDs on which a password attack could be carried out. Sadly this is something that FreePBX (and probably other systems) force you to do. One other minor nit: One of your best tools is a program or script to generate random sequences of letters and digits and other legal- in-SIP-names characters. Try something like dd if=/dev/urandom bs=512 count=1 | base64 and then copy some 10- or 12-character substrings out of this mass of gibberish and use 'em for SIP secrets. With this many bits of randomness in the secrets, they'll be effectively invulnerable to guessing or brute force attacks. Ahem. If you only want that many characters, just get less random bits. This will get you 128 (16 * 8) [pseudo?]random bits: head /dev/urandom -c 16 | base64 I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Pick your salt to be unique per site, guard the salt jealously, and you'll be fine. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On 06/13/2010 02:07 AM, dotnetdub wrote: The trouble with whitelisting, or using iptables to block 5060 (in fact * is behind a router - 5060 is port forwarded) is that traveling employees wouldn't be able to register with inbound extensions. We set up our travelers so they can connect from wherever, and be treated as if they were at a local extension. That is, the employee can dial 151, or be dialed at his extension. He can not however dial third parties, or at least isn't supposed to. sean If you leave your asterisk box open to the world with passwords like you deserve to be hacked.. Are your travelling people using softphones? If they are VPN would be a good idea.. Ok. Obviously we deserve all this, and I should mess around with setting complex passwords for all my internal extensions. And I should accept suffering as part atoning for our errors. I was actually interested in a more prosaic question: does deny/permit in the sip stanzas which have an outgoing context solve my immediate problem: limiting access to sip for outgoing calls? sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On 06/13/2010 01:59 PM, Dave Platt wrote: If you leave your asterisk box open to the world with passwords like you deserve to be hacked.. Well, without making a moral judgment, I will agree that you are *going* to be hacked if you do this! The O.P. seems to have made two (fairly common) mistakes: - Used a secret so obvious that it could be guessed... and even if not, so short that it could have been determined by a very simple brute-force attack. - Used the user's extension number as the SIP user ID... and thus making it easy to figure out which user IDs on which a password attack could be carried out. Doing a brute-force SIP-registration attack against all possible 3- and 4-digit extensions, using a handful of obvious secret strings ( through , 1234, 4321, same number as the extension) wouldn't take an attacker very long at all. Nor would trying to call all of these numbers once to figure out which extensions exist, then doing a brute-force password attack against those which exist. I have no doubt that there are numerous crackers out on the net doing just these sorts of attacks on a regular basis. The cure for these problems is, obviously, don't do that: (1) SIP user IDs should not be based on the extension number, and preferably should not be based on the owner's name or user login. Make 'em hard to guess or brute-force! (2) Make the secrets equally hard to guess or brute-force. No short strings of numbers, no dictionary words or simple leet-speak transforms of them, etc. One of your best tools is a program or script to generate random sequences of letters and digits and other legal- in-SIP-names characters. Try something like dd if=/dev/urandom bs=512 count=1 | base64 and then copy some 10- or 12-character substrings out of this mass of gibberish and use 'em for SIP secrets. With this many bits of randomness in the secrets, they'll be effectively invulnerable to guessing or brute force attacks. Are your travelling people using softphones? If they are VPN would be a good idea.. A very good idea, and not just for security reasons. Running SIP over a VPN tunnel can be a very effective remedy for all sorts of firewall- and NAT-related problems. I've found that running OpenVPN between my various SIP clients, and my Asterisk server, produces far better results than depending on STUN or on SIP-aware routers and firewalls. Thanks for not suggesting I ponder my sins! As I mentioned, I'm not inclined to mess with the secrets, too much hassle for users. That's why I'm considering deny/permit. Does that solve my problem? But I'm struck with your notion of having sip user ids different from extensions. That would not require any user effort, or messing with each phone. But... We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sun, Jun 13, 2010 at 04:06:52PM -0400, sean darcy wrote: As I mentioned, I'm not inclined to mess with the secrets, too much hassle for users. That's why I'm considering deny/permit. Does that solve my problem? If you don't have users who need remote access. The issue at hand is brute-force attacks from the internet. -- Tzafrir Cohen icq#16849755 jabber:tzafrir.co...@xorcom.com +972-50-7952406 mailto:tzafrir.co...@xorcom.com http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sun, Jun 13, 2010 at 4:06 PM, sean darcy seandar...@gmail.com wrote: On 06/13/2010 01:59 PM, Dave Platt wrote: If you leave your asterisk box open to the world with passwords like you deserve to be hacked.. Well, without making a moral judgment, I will agree that you are *going* to be hacked if you do this! The O.P. seems to have made two (fairly common) mistakes: - Used a secret so obvious that it could be guessed... and even if not, so short that it could have been determined by a very simple brute-force attack. - Used the user's extension number as the SIP user ID... and thus making it easy to figure out which user IDs on which a password attack could be carried out. Doing a brute-force SIP-registration attack against all possible 3- and 4-digit extensions, using a handful of obvious secret strings ( through , 1234, 4321, same number as the extension) wouldn't take an attacker very long at all. Nor would trying to call all of these numbers once to figure out which extensions exist, then doing a brute-force password attack against those which exist. I have no doubt that there are numerous crackers out on the net doing just these sorts of attacks on a regular basis. The cure for these problems is, obviously, don't do that: (1) SIP user IDs should not be based on the extension number, and preferably should not be based on the owner's name or user login. Make 'em hard to guess or brute-force! (2) Make the secrets equally hard to guess or brute-force. No short strings of numbers, no dictionary words or simple leet-speak transforms of them, etc. One of your best tools is a program or script to generate random sequences of letters and digits and other legal- in-SIP-names characters. Try something like dd if=/dev/urandom bs=512 count=1 | base64 and then copy some 10- or 12-character substrings out of this mass of gibberish and use 'em for SIP secrets. With this many bits of randomness in the secrets, they'll be effectively invulnerable to guessing or brute force attacks. Are your travelling people using softphones? If they are VPN would be a good idea.. A very good idea, and not just for security reasons. Running SIP over a VPN tunnel can be a very effective remedy for all sorts of firewall- and NAT-related problems. I've found that running OpenVPN between my various SIP clients, and my Asterisk server, produces far better results than depending on STUN or on SIP-aware routers and firewalls. Thanks for not suggesting I ponder my sins! As I mentioned, I'm not inclined to mess with the secrets, too much hassle for users. That's why I'm considering deny/permit. Does that solve my problem? But I'm struck with your notion of having sip user ids different from extensions. That would not require any user effort, or messing with each phone. But... We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. sean The deny/permit will work only for phones within your internal network. It will not allow any remote phones to connect so how do you plan on getting your remote users up and running? How are secrets too much hassle? You set the password once and forget it. With the Aastra phones you could setup phone provisioning files to automate the process. Ryan -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Sunday 13 June 2010 15:06:52 sean darcy wrote: As I mentioned, I'm not inclined to mess with the secrets, too much hassle for users. That's why I'm considering deny/permit. Clearly, this intruder isn't costing you enough money yet. If you ignore the problem for a month, does that cost you enough money that you'll consider making the passwords exceptionally difficult to guess? Does that solve my problem? If there are any IP addresses that you do not control that are in your allow list, then it does not solve your problem. We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. You are stuck in the mindframe that the extension is the unique identifier for the phone. It is not. There is a device identifier and there is an extension. The extension does not pass beyond the limits of the Asterisk system, and the purpose of the Asterisk dialplan (in an office environment) is to map extensions to device identifiers. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
At 01:06 PM 6/13/2010, you wrote: We use a combo of aastra 9133i and 57i's. Don't the user id and the extension HAVE to be the same? I had thought the aastra's used the extension as the SIP id to register. So in your extensions.conf you need lines like: exten = 123,1,dial(SIP/123_thisisAfunnyextension) Well, that should give you the idea. Don't know if it's the best way, but it's worked for me. Ira -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
sean darcy wrote: This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: ;;[151] ;;type=friend ;;context=longdistance ;;callerid=Conf Room 151 ;;secret= ;;host=dynamic ;;qualify=yes ;;dtmfmode=rfc2833 ;;allow=all ;;defaultuser=151 ;;nat=yes ;;canreinvite=no There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean [Jun 10 15:51:19] VERBOSE[1662] chan_sip.c: -- Registered SIP '151' at 79.117.17.247 port 5060 [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Peer '151' is now Reachable. (161ms / 2000ms) [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Received SIP subscribe for peer without mailbox: 151 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP CoS mark 5 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP VRTP CoS mark 6 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL CoS mark 5 [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:1] Answer(SIP/151-00ae, ) in new stack [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:2] Gosub(SIP/151-00ae, DialOut,s,1(01125240212154 ,DAHDI/g0)) in new stack . [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [...@dialout:9] Dial(SIP/151-00ae, DAHDI/g0/01125240212154) in new stack [Jun 10 15:51:22] VERBOSE[4780] chan_dahdi.c: -- Requested transfer capability: 0x00 - SPEECH [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- Called g0/01125240212154 [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is proceeding passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 16, passing it to DAHDI/2-1 [Jun 10 15:51:25] VERBOSE[4780] channel.c: -- Music class default requested but no musiconhold loaded. [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 20, passing it to DAHDI/2-1 I decided to include the following in each sip.conf stanza that has an outgoing context: deny=0.0.0.0/0.0.0.0 permit=10.10.10.0/24 I didn't want to mess around with secrets/passwords. And I want to allow registration for incoming contexts. Won't this do it? Is this how my intruder did this? register = 151:@my.pbx.ip.address Dial(some.West.African.number,SIP/151:@my.pbx.ip.address) Blacklisting won't work - see Whack-a-mole. Does the deny/permit do the trick? sean sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On 12/06/2010 15:09, sean darcy wrote: I decided to include the following in each sip.conf stanza that has an outgoing context: deny=0.0.0.0/0.0.0.0 permit=10.10.10.0/24 If all your phones are on a defined network like that, you really should use iptables to allow inbound SIP from the 10-network and from the ip addresses of your provider(s) only. Blacklisting won't work - see Whack-a-mole. Well, in you case you need to think the other way (whitelisting), and that work pretty nice Does the deny/permit do the trick? It should, as long as the asterisk auth is working fine. But i would strongly urge you to add an iptables (or any other FW) layer on top of it, better safe than sorry. Example: *filter :INPUT DROP [0:0] :SIP - [0:0] :IAX - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT # ssh -A INPUT -i bond0 -s -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP -A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX -A SIP --src 10.10.10.0/24 -j ACCEPT -A SIP --src ip.provider.1 -j ACCEPT -A SIP --src ip.provider.2 -j ACCEPT ... -A IAX --src 10.10.10.0/24 -j ACCEPT COMMIT -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On 06/12/2010 10:57 AM, Benoit wrote: On 12/06/2010 15:09, sean darcy wrote: I decided to include the following in each sip.conf stanza that has an outgoing context: deny=0.0.0.0/0.0.0.0 permit=10.10.10.0/24 If all your phones are on a defined network like that, you really should use iptables to allow inbound SIP from the 10-network and from the ip addresses of your provider(s) only. Blacklisting won't work - see Whack-a-mole. Well, in you case you need to think the other way (whitelisting), and that work pretty nice Does the deny/permit do the trick? It should, as long as the asterisk auth is working fine. But i would strongly urge you to add an iptables (or any other FW) layer on top of it, better safe than sorry. Example: *filter :INPUT DROP [0:0] :SIP - [0:0] :IAX - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT # ssh -A INPUT -i bond0 -s -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP -A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX -A SIP --src 10.10.10.0/24 -j ACCEPT -A SIP --src ip.provider.1 -j ACCEPT -A SIP --src ip.provider.2 -j ACCEPT ... -A IAX --src 10.10.10.0/24 -j ACCEPT COMMIT The trouble with whitelisting, or using iptables to block 5060 (in fact * is behind a router - 5060 is port forwarded) is that traveling employees wouldn't be able to register with inbound extensions. We set up our travelers so they can connect from wherever, and be treated as if they were at a local extension. That is, the employee can dial 151, or be dialed at his extension. He can not however dial third parties, or at least isn't supposed to. sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] How to stop intruder from registering sip?
This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: ;;[151] ;;type=friend ;;context=longdistance ;;callerid=Conf Room 151 ;;secret= ;;host=dynamic ;;qualify=yes ;;dtmfmode=rfc2833 ;;allow=all ;;defaultuser=151 ;;nat=yes ;;canreinvite=no There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean [Jun 10 15:51:19] VERBOSE[1662] chan_sip.c: -- Registered SIP '151' at 79.117.17.247 port 5060 [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Peer '151' is now Reachable. (161ms / 2000ms) [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Received SIP subscribe for peer without mailbox: 151 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP CoS mark 5 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP VRTP CoS mark 6 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL CoS mark 5 [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:1] Answer(SIP/151-00ae, ) in new stack [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:2] Gosub(SIP/151-00ae, DialOut,s,1(01125240212154 ,DAHDI/g0)) in new stack . [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [...@dialout:9] Dial(SIP/151-00ae, DAHDI/g0/01125240212154) in new stack [Jun 10 15:51:22] VERBOSE[4780] chan_dahdi.c: -- Requested transfer capability: 0x00 - SPEECH [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- Called g0/01125240212154 [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is proceeding passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 16, passing it to DAHDI/2-1 [Jun 10 15:51:25] VERBOSE[4780] channel.c: -- Music class default requested but no musiconhold loaded. [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 20, passing it to DAHDI/2-1 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Jun 11, 2010, at 5:55 PM, sean darcy wrote: This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: --snip-- There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean What is the default context in sip.conf? Does it allow outbound calls? Do you have autocreatepeer=no? Fred Posner http://qxork.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
Fred Posner wrote:
On Jun 11, 2010, at 5:55 PM, sean darcy wrote:
This is a small 12 line system, internal extensions 150 - 180. I didn't
have a phone on 151. Here's the sip.conf stanza:
--snip--
There's no DISA. And then somehow (how???) ip address 79.117.17.247
becomes extension 151 and starts making calls to West Africa.
Now contactdeny and contactpermit over solve the problem. For instance,
I can't register with my voip provider. I don't care about peers who I
make calls to, or receive calls from. I'm just stunned someone can
become a peer and make calls themselves.
How do I fix this in some reasonable way.
sean
What is the default context in sip.conf? Does it allow outbound calls?
;###
;DEFAULT CONTEXT
;###
[default]
exten=_1XX,1,Macro(stdexten,${EXTEN},SIP/${EXTEN})
exten=777,1,Answer()
exten=777,2,Musiconhold(default)
exten=80,1,MeetMe(80)
exten=_140,1,Dial(${OPERATOR})
exten = i,1,Playback(pbx-invalid)
exten = i,n,Goto(did-main,s,1)
include=record
include=parkedcalls
include=conferences
include=voicemail
include=admin
include=intercom-group
include=blf
include=blf-group
No outgoing contexts.
Do you have autocreatepeer=no?
No. I've never heard of autocreatepeer, but as I read about it, it
defaults to NO.
Fred Posner
http://qxork.com
How does anyone do this?
sean
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Fri, 11 Jun 2010, Fred Posner wrote: On Jun 11, 2010, at 5:55 PM, sean darcy wrote: This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: --snip-- There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean What is the default context in sip.conf? Does it allow outbound calls? Do you have autocreatepeer=no? You should make all your externally facing services as secure as possible. http://nerdvittles.com/?p=684 may give you some Asterisk specific tips. Then, add another layer of security -- sift through all of the class A address assignments at arin.net* and block all that make sense for you at your border router. For me, I blocked all of the class As assigned to afrinic, apnic, jnic, lacnic, and ripe. Hacking attempts (SMTP, SSH, and SIP) just about evaporated. On a small email/ssh/sip server I drop about 1,500,000 packets a week. *) Or download my list at http://www.sedwards.com/class-a-block-list -- assuming you're not already on the list :) -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Jun 11, 2010, at 8:03 PM, sean darcy wrote:
Fred Posner wrote:
On Jun 11, 2010, at 5:55 PM, sean darcy wrote:
snipped...
What is the default context in sip.conf? Does it allow outbound calls?
;###
;DEFAULT CONTEXT
;###
[default]
exten=_1XX,1,Macro(stdexten,${EXTEN},SIP/${EXTEN})
exten=777,1,Answer()
exten=777,2,Musiconhold(default)
exten=80,1,MeetMe(80)
exten=_140,1,Dial(${OPERATOR})
exten = i,1,Playback(pbx-invalid)
exten = i,n,Goto(did-main,s,1)
include=record
include=parkedcalls
include=conferences
include=voicemail
include=admin
include=intercom-group
include=blf
include=blf-group
No outgoing contexts.
That sure doesn't look like sip.conf.
Do you have autocreatepeer=no?
No. I've never heard of autocreatepeer, but as I read about it, it
defaults to NO.
Fred Posner
http://qxork.com
How does anyone do this?
sean
sip.conf... it's different than extensions.conf.
Also, what version of asterisk are you running (out of curiosity)...
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
When will you people learn ... you set the secret= and it's one of the many frequent passwords most people sets out of being lazy ... that simply says ... guess my password and call through my pbx for free ... so again ... 1) bad people scan extensions 100-199 and 1000- trying to guess your password if you were nice enough to set it within a known statistical easy guess 2) either use complicated passwords and sip accounts other than 100-199 1000- or install the fail2ban Martin On Fri, Jun 11, 2010 at 4:55 PM, sean darcy seandar...@gmail.com wrote: This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: ;;[151] ;;type=friend ;;context=longdistance ;;callerid=Conf Room 151 ;;secret= ;;host=dynamic ;;qualify=yes ;;dtmfmode=rfc2833 ;;allow=all ;;defaultuser=151 ;;nat=yes ;;canreinvite=no There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean [Jun 10 15:51:19] VERBOSE[1662] chan_sip.c: -- Registered SIP '151' at 79.117.17.247 port 5060 [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Peer '151' is now Reachable. (161ms / 2000ms) [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Received SIP subscribe for peer without mailbox: 151 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP CoS mark 5 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP VRTP CoS mark 6 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL CoS mark 5 [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:1] Answer(SIP/151-00ae, ) in new stack [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:2] Gosub(SIP/151-00ae, DialOut,s,1(01125240212154 ,DAHDI/g0)) in new stack . [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [...@dialout:9] Dial(SIP/151-00ae, DAHDI/g0/01125240212154) in new stack [Jun 10 15:51:22] VERBOSE[4780] chan_dahdi.c: -- Requested transfer capability: 0x00 - SPEECH [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- Called g0/01125240212154 [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is proceeding passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 16, passing it to DAHDI/2-1 [Jun 10 15:51:25] VERBOSE[4780] channel.c: -- Music class default requested but no musiconhold loaded. [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 20, passing it to DAHDI/2-1 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
if you know IP then ban with iptables iptables -A INPUT -s IP -j REJECT Martin On Fri, Jun 11, 2010 at 8:41 PM, Martin asteriskl...@callthem.info wrote: When will you people learn ... you set the secret= and it's one of the many frequent passwords most people sets out of being lazy ... that simply says ... guess my password and call through my pbx for free ... so again ... 1) bad people scan extensions 100-199 and 1000- trying to guess your password if you were nice enough to set it within a known statistical easy guess 2) either use complicated passwords and sip accounts other than 100-199 1000- or install the fail2ban Martin On Fri, Jun 11, 2010 at 4:55 PM, sean darcy seandar...@gmail.com wrote: This is a small 12 line system, internal extensions 150 - 180. I didn't have a phone on 151. Here's the sip.conf stanza: ;;[151] ;;type=friend ;;context=longdistance ;;callerid=Conf Room 151 ;;secret= ;;host=dynamic ;;qualify=yes ;;dtmfmode=rfc2833 ;;allow=all ;;defaultuser=151 ;;nat=yes ;;canreinvite=no There's no DISA. And then somehow (how???) ip address 79.117.17.247 becomes extension 151 and starts making calls to West Africa. Now contactdeny and contactpermit over solve the problem. For instance, I can't register with my voip provider. I don't care about peers who I make calls to, or receive calls from. I'm just stunned someone can become a peer and make calls themselves. How do I fix this in some reasonable way. sean [Jun 10 15:51:19] VERBOSE[1662] chan_sip.c: -- Registered SIP '151' at 79.117.17.247 port 5060 [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Peer '151' is now Reachable. (161ms / 2000ms) [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Received SIP subscribe for peer without mailbox: 151 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP RTP CoS mark 5 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using SIP VRTP CoS mark 6 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL TOS bits 184 [Jun 10 15:51:21] VERBOSE[1662] netsock.c: == Using UDPTL CoS mark 5 [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:1] Answer(SIP/151-00ae, ) in new stack [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [01125240212...@longdistance:2] Gosub(SIP/151-00ae, DialOut,s,1(01125240212154 ,DAHDI/g0)) in new stack . [Jun 10 15:51:22] VERBOSE[4780] pbx.c: -- Executing [...@dialout:9] Dial(SIP/151-00ae, DAHDI/g0/01125240212154) in new stack [Jun 10 15:51:22] VERBOSE[4780] chan_dahdi.c: -- Requested transfer capability: 0x00 - SPEECH [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- Called g0/01125240212154 [Jun 10 15:51:22] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is proceeding passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:23] VERBOSE[4780] app_dial.c: -- DAHDI/2-1 is making progress passing it to SIP/151-00ae [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 16, passing it to DAHDI/2-1 [Jun 10 15:51:25] VERBOSE[4780] channel.c: -- Music class default requested but no musiconhold loaded. [Jun 10 15:51:25] VERBOSE[4780] app_dial.c: -- SIP/151-00ae requested special control 20, passing it to DAHDI/2-1 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
On Fri, 11 Jun 2010, Martin wrote: if you know IP then ban with iptables iptables -A INPUT -s IP -j REJECT Ever play http://en.wikipedia.org/wiki/Whac-A-Mole ? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How to stop intruder from registering sip?
lol when then if he knows the IP of his provider plus a few phones he can just allow these ... and problem solved forever Martin On Fri, Jun 11, 2010 at 9:02 PM, Steve Edwards asterisk@sedwards.com wrote: On Fri, 11 Jun 2010, Martin wrote: if you know IP then ban with iptables iptables -A INPUT -s IP -j REJECT Ever play http://en.wikipedia.org/wiki/Whac-A-Mole ? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
