Security: Enumerating extensions

obelisk · April 25, 2011, 10:48am

Extensions on a FreePBX system can be enumerated very easily if someone has access to the SIP port.
To check if extension 100 exists and can be registered send an INVITE with header “From: sip:100” and check the answer.
If asterisk replies with “401 Unauthorized” it means the extension exists and can be registered.
Non-existant or ACLed extensions receive reply 200 or “407 Proxy Authentication Required” if allowguest is set to no

The problem is FreePBX by default creates extensions as type=friend instead of type=peer.

mickecarlsson · April 26, 2011, 12:06pm

obelisk, there are a couple of things you can do:

Set permit and deny fields in the extension, if that is not an option go to 2
Set the type for your extension after it is created, change type to peer

Option 2 has always been there, but in 2.9 it is a select box where you can select friend, peer or user.

I will discuss with the other developers but as the options are in the gui the ticket will probably be closed as invalid.

I appreciate your concern for security, your posts over at lime green forum have always enjoyed me.

Take care.

obelisk · April 26, 2011, 3:27am

Ticket 5103 opened.

obelisk · April 26, 2011, 3:28am

.

sanjayws · April 25, 2011, 5:27pm

Think you can set in /etc/asterisk/sip_general_custom.conf

alwaysauthreject=yes

Or set in FreePBX, go to Tools > Asterisk SIP Settings, other sip settings, add the above.

That will throw the same error with username auth rejects or password rejects…

SkykingOH · April 25, 2011, 4:21pm

Obelisk - can you enter this in the Bug Tracker please? It can probably make the 2.9 release if you get it in.

obelisk · June 25, 2011, 2:50pm

The issue has been acknowledged by digium as a problem in this thread:

http://forums.digium.com/viewtopic.php?t=78538

Also an interesting take on the FreePBX bug (mis)handling process:

http://goo.gl/lVODS

mickecarlsson · June 25, 2011, 3:46pm

Well obelisk, that rotten telephone pole from Michigan is not to trust. He should be totally ignored as if he feel that he is right (and he always feel that) then everyone else in the whole world is wrong.

And to be clear here, it is only a problem IF you open your PBX to Internet. But that is a BAD thing to do. Just open port 5060 so that your trunk providers IP address is allowed into the PBX.

And obelisk, by posting that (outdated) link you have, IMHO, proven to be as low as that telephone pole. If you want to criticize, please be constructive, not an …

obelisk · August 9, 2011, 4:30pm

Wow, it took a while, but we are finally making progress on this.
Old habits die hard

AdHominem · November 23, 2011, 1:19am

I have just updated the trouble ticket on this to include yet another reason to change this. With Extensions set to Friend, SIP URI calls to a system that have a Caller ID that is the same as a “friend” extension will be rejected as unauthorized.