Help were being attack

firetech69 · October 10, 2009, 12:40pm

Hello

This week we were attack again! A year ago a fishing site was install on are free pbx system. This time it tooked one of are phone to call.We are in Gatineau Canada Québec and are installing compagnie is in Rivière du Loup and dont know if he can handle it.

I know that he disable the phone that was use to do the calls and all those call were in Colorado.

How can i protech my self from these attack and can i do this my self.

Thank you

Merci

Dominique

firetech69 · October 10, 2009, 2:09pm

Well i just did some reading on your site and found that i should close port 5060.

I don’t know nothing about this.

Why is that port open? ( The company who install the system said that he needs that port to be open)

We are using Xlite on some of our laptops and home computers.

I have access to my office network threw a VPN router.

My boss has a phone connected to the phone system at his cottage threw is INTERNET connection.(Does he need 5060 to be open)

Can i do something my self or the installer company tech as to do it.

On the system i have check my extensions setup and saw that all of them as port 5060 written.

Please help me understand if my system is secure and is there a way to block any hijack attempt on my system threw my VPN router.(Linksys RV042 Firmware 1.3.12.6-tm)

Dominique

SkykingOH · October 10, 2009, 7:11pm

What ports do you have open other than 5060? 5060 UDP is needed for SIP.

SSH and HTTP are the most vulnerable ports and should never be open.

totalimpact · October 10, 2009, 7:41pm

Your extension “secrets” should look something like this:
qwderv4rvc4uin94u5uvbn4crc42w2dn00in

and the voicemail passwords should look something like this:
983627

You should install and run the weak password module for freepbx to check all your extensions.

You should only have these UDP ports open on your firewall:
5060
10,000-20,000

If your system is setup like that, more than likely you will never get hacked.

You also need to be sure to keep up with Asterisk security updates - if you are running a 3 year old version of asterisk more than likely it has sip exploits (making 5060 vulnerable), if you dont have the time to secure all this stuff, your best bet is to not open any ports to it, and only use hardware VPN appliances to connect remote phones.

warlock67 · October 11, 2009, 2:31pm

We were having the same problem with weak passwords. The first thing we did which stopped this immediately was set “permit” in the extension setting of each extension to the IP range or specific IP where they were coming from.

E.G. When on a local network set 10.10.10.0/255.255.255.0 where the phones have 10.10.10.X IPś or set a single public IP address from e.g. 60.61.62.63/255.255.255.255. You can get a list of the IPś that the remote units are using from the asterisk console with “sip show peers” so that you can easyly find the IP of each phone.

firetech69 · October 12, 2009, 3:11am

Check my firewall on my router

They opened port 5060 UDP and TCP
They opened port 10000 to 20000 UDP and TCP as well.
They also opened port 22 TCP.

If i close does TCP ports without noticing the installer company could it do something to make my system not functioning?

I have Free PBX 2.3.1.5 and Asterix if i am wright is 1.4.18-1.

And by the way pardon my English i am French.

i am a bit scare to change anything in the Asterisk part because i really not sure and i have no problem changing firewall settings if you assure me that my IP phones system will still be working. For the extension part i really have no problem changing those secret code and voice mail code.

I have notice that the system was patched by the installing company to have there logo behind it.

What is the most recent version of Asterisk and FreePBX?

Thanks again

8f27e956 · October 12, 2009, 3:55am

Don’t try to change EVERYTHING at once. First, drop the TCP from the firewall and reboot and restart everything. Operate for day or two to ensure everything is okay. Then make the other changes – one by one, verifying as you go. Stage/pace the changes.
As has been mentioned, limit the IP ranges to knwon sub-nets only wherever possible.
SSH is NOT needed to do the telephony – telephone calling. It is for remote login for admin purposes. If you no longer have a remote admin (aka the orig. installing compnay), then you may want to close this port, or re-map it to something else like port 8022.
My firewall is freeware openBSD/pf; it has some very powerful “stateful firewall” features that make using VoIP/SIP easier to lock-down. You may want to look at this as a “project.”

/S

gzpxyj · October 22, 2009, 5:05pm

I had some attacks twice before. I was a little lazy to get all fixed at the time, a big lesson. Here are tips basically others said.

change the “secret” to 8 characters/numbers long of combination of characters and numbers. That will remove 90% of attackers.
in your extension setup, under permit section, put your local or remote ip address for each phone extension. For local extension, put 192.168.1.0/255.255.255.0 if your local lan is 192.168.1.x in the permit box. This will only accept ip address you specified for that extension. Put your actual external IP address range in permit box for your remote phones. If you have dynamic ip address for the remote phone, put some ip address range for your remote phone. You know your remote phone ip address range through your asterisk info. Otherwise, if you don’t know how to set that up, keep the permit as the default and use a very strong password/secret for that extension.
install the fail2ban. That will prevent attackers trying to crack your password. It will ban all attackers if they have tried 3 times and failed.
set the allow anonymous inbound call to No instead of yes. This is under the general setting section of the freePBX.
Put your pbx behind the firewall if you have only internal extensions. Otherwise, use a VPN link between your local and remote site so your local and remote sites have the same local network with local IPs and then you can use the permit box to set the local IPs.
read this article: http://nerdvittles.com/index.php?p=580

mustardman · October 22, 2009, 6:12pm

Here is a good link for best practices.
http://blogs.digium.com/2009/03/28/sip-security/

I believe FreePBX default settings takes care of most of those now. At least on v2.6 it does.

They also talk about fail2ban at the bottom of that article which is a real good one to use IMHO.
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

firetech69 · October 22, 2009, 12:19am

Thanks for the advices.
Did mostly what you all told me to try whit the approval of the installing companies. When i asked why he did not do it like that the first time there was a long pause on the phone.
Found out that everything on the system was factory default.

Thanks again and if i may ask :should i have my fixed IP address from Bell Canada changed since it is the second time it append? Looks like it is the same guy that came in are system.

Million of thanks for the informations.