Am I being hacked?

I am sorry I misunderstood , previously you said you didn’t know about 5060, now you do

Many of us have systems that can chew gum and walk at the same time. Are you aware that fail2ban has
“sh*t-loads” of jails waiting to be enabled?

Some of us have larger networks that have VOIP users actually travel outside the US and some have being doing it for longer than +15 , seriously , they also expect all the other services we provide to still work even in China. Security means protecting as necessary, not block banning huge parts of the world.

If you are happy with your security, then good, do you mind if other people have other opinions?

What part of me saying that while you can follow standard/common practices but you have to make tweaks and adjustments to fit your network deployment screams “DO IT THIS WAY”? I related how my current network works. I also related how I had end users in India, Iran and other places in the world in the past that needed special consideration because not only couldn’t they use standard SIP ports, they had to use common ports for things like HTTP, etc for their SIP to work.

So yes, I’ve had to deal with customer from all over the world at some point and when that has been the case the network security took all that into consideration. Not every network and deployment has the same needs and requirements but they do generally have some cross over that makes using common practices common sense.

This thread is surely about VOIP and securing it easily . I don’t think anybody cares about how clever you are (or me in truth). Lets just concentrate on the problem presented and the viable solutions available here. If you have any more useful input, please post it.

To start, it’s useful to know a little about the enemy. Attacks may be random, or targeting your system specifically.

Random attacks use automated tools to probe every IPv4 address. When something promising is found, a smarter robot and/or human skill is applied in an attempt to complete penetration. The motive is usually one of:

1. Steal phone service, e.g. for resale in internet cafes or taxiphone shops.
2. Make calls to premium numbers controlled by the attacker.
3. For telemarketing spam or scam calls.
4. To mask communications used in planning or executing an unrelated crime.

Targeted attackers generally have no interest in toll fraud. Examples include:

1. A competitor tries to obtain your customer list, designs, business plans or other IP.
2. A disgruntled current or former employee seeks to sabotage your business.
3. Your wife searches for your communications with your mistress.

The security playing field is overwhelmingly tilted in favor of the attacker. Your defense must succeed every time, but he has to succeed only once. An attacker with sufficient expertise and/or funds will surely breach your system. If you need to defend against a targeted attack, get professional assistance. Nothing that we discuss here will be adequate. The remainder of this post is about random attacks.

It is infeasible, even with a large botnet, to probe every port in IPv4 space. So, using an obscure SIP port can certainly help; in my experience it will reduce unwanted traffic by at least 95%. But, be careful: if your PBX previously responded to an attacker on port 5060, changing the port (with the same IP) won’t help; he’ll scan every port on your machine. Likewise, if your IAX port (or heaven forbid, your web admin port) is open, he knows you have a PBX and will probe all ports for SIP.

Filtering by domain name is very powerful. My preference is to do this in iptables rather than Asterisk. An attacker sending REGISTER, INVITE or OPTIONS without the ‘secret’ domain name gets no response at all; after a few attempts he moves on to the next sucker. Also, it’s more flexible because you can whitelist addresses of trunking providers who will use your numeric IP address. Choose an obscure name and be sure that a reverse lookup yields something different. See for example

Once past the above defenses, the bad guys send two kinds of traffic: attempts to register an extension, and calls to numbers that might route externally. For the former, be sure that every extension has a password strong enough to resist offline cracking; there are several ways that he might have the hashed password. For the latter, be sure that anonymous and guest calls are disallowed and (in case he gets past that) the from-trunk and similar contexts have no path to an arbitrary external number. (You should also check for DISA, voicemail and attended transfer vulnerabilities, though an attacker would not need SIP access to exploit them.)

Fail2ban rarely prevents an actual breach – if the password is known, the bad guy gets in, if not (and it’s strong) a billion attempts won’t help him. However, it’s useful for alerting you to problems earlier in the chain, for reducing unwanted load on the system, and for removing log clutter that could prevent you from spotting other trouble.

In case all of the above fail, having some restrictions in the system is useful, e.g. blocking countries that you don’t normally call, or protecting those routes with a password.

Also, take advantage of the fraud controls offered by your trunking providers. To protect their own network, there are typically limits on number of concurrent calls, calls per second and maximum monthly spend. If higher than you need, ask them to reduce the limits for your account. If you auto-recharge, there may be an option to limit the frequency. You may also have the option to block calls exceeding a specified per-minute rate, or calls to specific regions or countries. And, if they have a ‘minimum balance for outgoing calls’, set that high enough so that if all hell breaks loose and your account is drained, your incoming calls will still work while you resolve the issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.