Asterisk Security

Howdy Folks,

I ran across an article on Asterisk security, and would like to implement most, if not all of the suggestions. I realize that some of the points are already defined.

Here’s the link: http://blogs.digium.com/2009/03/28/sip-security/

I am particularly interested in points 5 & 6. Please let me know if those are possible to configure via FreePBX.

Also wondering if anyone has any input on Fail2ban.

Thanks!!

[edited by p_lindheimer]

points 5 & 6 being reference above:

  1. Allow only one or two calls at a time per SIP entity, where possible. At the worst, limiting your exposure to toll fraud is a wise thing to do. This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.

  2. Make your SIP usernames different than your extensions. While it is convenient to have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy target for attackers to guess SIP authentication names. Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000″)

things like fail2ban and firewalls are the ‘right’ way to combat attacks, not to say that smart configurations and passwords aren’t necessary.

As far as getting devices non-numeric, that is probably not going to happen any time soon.

fundamentally there is no reason why it may not work in FreePBX, and it is possible that if the restrictions were taken off, it would in fact work.

However, the devices and assumptions that they are numeric is so deeply engrained at so many levels inside of FreePBX, it would take some extremely significant testing and validation to determine if things are broken and there are a LOT of subtle things that could be affected.

As mentioned, you can put very long numbers as device numbers if you want which will go a long way towards making it harder to guess, but the real solution is proper front line protection against hack attempts as you discovered.

Regarding the request for setting concurrency limits on outbound calls:

see #4752

besttest,

I took the liberty of assigning you as the reporter for the feature request since I affectively took it from here. It will require 2.9 which is currently work in progress to get the feature, but it will allow for per extensions limit setting.

Cool! Thanks for that!

What are the chances of getting the device auth name to include special characters, alphabet, and numerics?

Thanks again Philippe!

By the way, we installed fail2ban on a test server.

It’s freaking awesome!!! In less than a minute we already had our first victim…bwa-ha-ha-ha-ha-ha-haaaaaaaaa!!!

Damn those stupid hackers!

unfortunately it’s still numeric only for the device, but you can use a long number if you want.

I guess you answered my questions with:
amportal.conf:
AMPEXTENSIONS=deviceanduser

Ok, so how do you actually implement it once you’ve made the setting?

Thank you for your input.

Here’s another link that describes what i want to accomplish (and why):

http://www.infiltrated.net/asterisk-ips.html

I’ve made the setting change Philippe mentioned above, reloaded freepbx (amportal restart) and httpd.

I’m not seeing any changes in the FreePBX extensions module. Should there be a spot to put the username now?

ok, never mind. I swear that I refreshed, restarted services, hopped on one leg, and did bloody mary in the bathroom, and the extensions module kept staring me in the face.

Now, after my last post, I looked again, and now see that the extensions module is gone, and replaced with “user” and “device”. I guess my question is answered.

Does anyone have any advice on how to use these new functions?

Is “User” the new extension and “Device” the new auth name?

Is there any possibility of using any alphabet or special characters in the “device id”?

What ever happened to just picking a secure password?

and

amportal.conf:

AMPEXTENSIONS=deviceanduser

The problem is the growing prevalence of a-holes scanning your servers using widely available sip scanners, which query for extension numbers. Once they know your extensions, they’ve won half the battle. Now a brute force attack ultimately nets them an authorized extension.

Yes, secure passwords are certainly a deterrent, but if you could prevent them from knowing your extensions, you effectively wholly (unless I’m missing something) prevent the problem.

This is why disjoining the auth name from the extension is such an interesting topic. So what if they figure out what extensions you have, if they’ll never be able to guess the real auth name.

I’ve personally experienced the gut wrenching stress thanks to some freaking d-bag with such software. They turned my box into an adult chat line, and cost me quite a bit in international dialing.

According to the link I posted above, this issue is wide reaching, and growing daily.

Philippe, you mentioned above “You can do (6) by switching to device and user mode and choosing different values, the devices still must be numbers though but don’t need to be related to the devices”. This is essentially the solution, but could you please tell us how it is accomplished? Is there a way to include any other characters besides numbers? That would severely hamper hacking efforts by those with wayyyyy too much spare time.

Thanks!

With regard to Philippe’s comment, I see occasional mentions of this “device and user mode” but I think it must be a fairly obscure thing because I’ve yet to come across a setting in FreePBX that allows switching the mode, nor any real explanation of the potential benefits/downsides of making such a switch. But then again, I haven’t really looked for one.

But anyway, I did have a thought on how some additional security could possibly be added without major changes. Simply add two new fields in the general settings, called user prepend and user append. These would be string values that would be automatically placed at the start and/or end of EVERY extension number for registration purposes. For example, if you put “dog” in the prepend field and “cat” in the append field, then all of your extension user names would take the format dogxxxcat, where xxx is the extension number. You could use either field, or both, or neither (the default, which which be the same as current behavior).

The idea is that some unknown hacker on the other side of the globe that’s simply trying common extension numbers would now also have to know the unique prepend/append strings for your system. Although these values would (hopefully) be unique for each installation, they’d be the same for EVERY extension on any given installation, therefore it should be easier to write code to deal with adding or stripping them, as the need arises. That would provide a little extra security, without having to deal with usernames that are in no way related to the extension numbers. The only caveat is that if you changed these values after initial setup you’d also need to change the user names on your existing endpoints. Just a suggestion.

Sounds promising. Could you elaborate on the process for number 5?

EDIT - Sorry, #6

Thank you.

You can do (6) by switching to device and user mode and choosing different values, the devices still must be numbers though but don’t need to be related to the devices.

(5) is not easily achieved in the dialplan as we do not have a setting that restricts concurrency of ‘off pbx’ calls based on the extension that is dialing them.

The latter is something that could be implemented but requires changes in the dialplan. A properly secured and protected system should not require that though, but you are welcome to add that as a feature request.

I must have something slightly backwards, so I’d appreciate any help.

I have 5 extensions with 5 users and I setup AMPEXTENSIONS=deviceanduser

With this I was under the impression any of the users would be able to login to any of the extensions and receive calls at that device.

example:
extension 1000 logs into extension 2000 phone. 2000 calls go to voice mail and extension 1000 calls are received at this location.

Is this possible when using device and user setup?