Security: Enumerating extensions

Extensions on a FreePBX system can be enumerated very easily if someone has access to the SIP port.
To check if extension 100 exists and can be registered send an INVITE with header “From: sip:100” and check the answer.
If asterisk replies with “401 Unauthorized” it means the extension exists and can be registered.
Non-existant or ACLed extensions receive reply 200 or “407 Proxy Authentication Required” if allowguest is set to no

The problem is FreePBX by default creates extensions as type=friend instead of type=peer.

obelisk, there are a couple of things you can do:

  1. Set permit and deny fields in the extension, if that is not an option go to 2
  2. Set the type for your extension after it is created, change type to peer

Option 2 has always been there, but in 2.9 it is a select box where you can select friend, peer or user.

I will discuss with the other developers but as the options are in the gui the ticket will probably be closed as invalid.

I appreciate your concern for security, your posts over at lime green forum have always enjoyed me.

Take care.

Ticket 5103 opened.


Think you can set in /etc/asterisk/sip_general_custom.conf


Or set in FreePBX, go to Tools > Asterisk SIP Settings, other sip settings, add the above.

That will throw the same error with username auth rejects or password rejects…

Obelisk - can you enter this in the Bug Tracker please? It can probably make the 2.9 release if you get it in.

The issue has been acknowledged by digium as a problem in this thread:

Also an interesting take on the FreePBX bug (mis)handling process:

Well obelisk, that rotten telephone pole from Michigan is not to trust. He should be totally ignored as if he feel that he is right (and he always feel that) then everyone else in the whole world is wrong.

And to be clear here, it is only a problem IF you open your PBX to Internet. But that is a BAD thing to do. Just open port 5060 so that your trunk providers IP address is allowed into the PBX.

And obelisk, by posting that (outdated) link you have, IMHO, proven to be as low as that telephone pole. If you want to criticize, please be constructive, not an …

Wow, it took a while, but we are finally making progress on this.
Old habits die hard :wink:

I have just updated the trouble ticket on this to include yet another reason to change this. With Extensions set to Friend, SIP URI calls to a system that have a Caller ID that is the same as a “friend” extension will be rejected as unauthorized.