I found out the hard way this last weekend that if the SIP port (5060) is available to the public Internet on the Asterisk box that it is VERY easy for someone out there to find your extensions then scan for the valid “secret” password. With that, they simply “Register” as the extension and Asterisk now thinks they ARE the internal extension! They then can freely make calls using your outgoing phone lines at a massive rate, e.g. less than a second between calls. In a few hours they made over 1000 calls to all over. What those phone calls were is even worse – phishing for bank card numbers and pins, obviously to do bank fraud – all from my caller-ID.
(Note that I have the DSL router acting as a real firewall and this is the only port allowed in – I do not allow ssh or 80, etc.)
With the current FreePBX all I can think of to do is make more secure passwords, or (as I feel is most secure) close the port 5060 to the outside world. This means that no one, even people I want to call in via VOIP, no one can call into our system. The only way to call us now is via POTS incoming phone lines.
Since the only way they can discover passwords is with running hundreds or thousands of attempts to see what grants access to a Register command (all which can be done in a matter of minutes, since computers are so fast), what I would like is something in Asterisk to detect a password failure, note the IP address attempting access, and after TWO unsuccessful tries within an hour, to block that IP address from ANY access for at least an hour. After a dozen unsuccessful tries from an IP over a day, block that IP until a human releases it. Also, to give a log-file for unsuccessful Register attempts, without having to have the other dozens of traffic that a Debug log level gives.
Further, what about some way to differentiate between Register attempts from internal IP vs external IP, and only allow internal IP to Register as an Extension, but allow others to Register as an incoming Trunk?
The request for blocking additional connection attempts after x attempts in given y time frame is a good one. Also improvements on limiting where registration attempts can be allowed from is good. But this is the wrong forum for those as nobody here has control over or writes the code for asterisk.
FreePBX is a application that sits on top of asterisk and generates dialplans and expands featureset for those that do not want to or can’t write dial plans for asterisk (yes I’m skipping over many other things like ease of use, better interface, etc).
I’d make a formal request in the asterisk forums for that option. You can find that over at www.asterisk.org.
There are many good documents on the web for securing your setup that should be followed. also keeping up to date with all patches for asterisk are critical. As you had picked the trixbox distro (yes I was online in IRC with you yesterday) you need to pick a distro that keeps current with asterisk and all security patches. Unfortunately trixbox has decided to move on and nolonger support asterisk 1.2.x with newer patches as they have for a year tried to put as much distance between them and that build series as possible. Due to them basically abandoning support for those older versions they have not even kept up with just updating nothing but asterisk to he latest release available which had a few security updates released. 'm not current on them but one of those might have closed a known issue that somebody took advantage of.
Have you contacted the authorities and reported the theft of services, preserved the logs, reported the abuse to your provider so that they know, etc… If not I’d do that ASAP. It might be possible to catch them but the longer you wait the easier it is for them to get away with it.
We secure our sip port in one of two ways. First it is locked down with a REAL firewall where I can say exactly which IP’s are allowed access and which ones are not So those external locations that have static IP’s can connect and nobody else is allowed. We also require that external employee’s that have IP’s that change often or are on dhcp from a provider use the VPN into the office so that we have it secured in a way that can’t be abused.
Check out fail2ban. This is a common tool for preventing brute force attacks.
Many people use vpn connections between branches or partners to prevent this specific type of attack.
This experience reinforces a basic principle, don’t expose a computer or network to the Internet unless you know how to secure it. Just google ‘sip security’ and start learning how to protect yourself.
fskrotzki: thank you for your kind help yesterday on IRC, and here today. Yes, we reported it to the FBI (due to interstate banking fraud attempt), and I found the low-life’s IP in my logs as 126.96.36.199, and reported that to [email protected]. We reported it to our VOIP service-provider, but of course he can not do anything since it came from our authenticated registered channel to them.
I have closed port 5060 on my DSL-router firewall, so I believe there is no risk to our phone system at this time. But I wanted to post this here for others to be aware of it also.
When I get a minute, I will follow your advice and see about posting to www.asterisk.org
Question: Are you saying the DSL router provided by AT&T, which specifically has a built-in “Stateful Inspection” firewall (not just NAT) is not adequate? If so, could you please tell me why, and what is needed?
Again, thank you for your help.
Stateful inspection means that it checks each packet to know that it is really supposed to be the next packet in the series. see http://en.wikipedia.org/wiki/Stateful_firewall.
What I’m saying it that better firewalls wil allow you to limit access to a set of IP’s that you trust. That is the big issue with the $39 Dlink, linksys, netgear units. They control access by opening the port to everybody or not. A better firewall (or cheaper one with custom firmware) will allow you to limit it by IP. thus securing your self even better. For example I have our sip port open to my house for me to do all kinds of testing on the office system. I’m the only one who can hit it, my nextdoor neighbor can’t even using the same service provider.
I always question anything a provider provides that is “Free of charge”. it can do the basics but almost never what should be really done if you need to do something out of the ordinary.
fail2ban is also a nice tool also.
Why not use MAC or IP filtering for your devices?
Hey, jperry999, fail2ban is awesome for type of thing.
Sorry to hear your system got compromised
I´ve been using Piaf for a bit, and fail2ban comes bundled with it. I saw the hundreds of SSH brute force connections to my systems every day drop to a handful, after using fail2ban.
Naturally, it can be configured for other ports, so you might want to give it a test drive.
Alternatively, you could try Privacy Manager on inbound calls, and Route Password on Outbound Calls, but that does make it a tad restrictive for making calls, and you have to update all your friends and family on their password.
magpye, thank you for your input. Please note that ssh is blocked at the router. Although I have heard great things about fail2ban for ssh security, This is an issue solely with SIP (port 5060), and the log-file is completely different as far as I understand. I do not know that fail2ban would deal with it, although please fill me in if it does. Further, it is my guess that I would have to turn on such a high level of logging (“debug”) that the log files would get far too unwieldy considering all the other traffic that goes on.
As far as “Privacy Manager on inbound calls”, note that since the low-life was logging in as if one of my extensions, Asterisk would not consider it an “inbound call” and thus that would not have any use, other than to annoy valid callers.
While “Route Password on Outbound Calls” would handle it, it makes valid users work too hard. Obviously simply turning off the Asterisk computer would handle it, but that too would annoy people validly trying to make calls. (Joke). But, consider how US Gov has handled “terrorist threat” – make it so hard for valid travelers to travel, that it hurts the economy, thus US Govt helps terrorists achieving the aims
I say again, why not use MAC filtering??
From what I understand, fail2ban can work on any port you desire, you simply need to add the details in the config.
There’s a good article here, and some worthy comments from Ward Mundy of PiAF fame.
fail2ban works on the principle of incorrect user/password, so if someone tried brute force registering a phone on your system, they’d quickly find themselves banned.
The nice thing is that the attacker doesn’t get a “YOU HAVE BEEN BANNED, SCUMBAG” message, the system simply stops acknowledging anything further from that IP address, which will log as a failure/no response message on most automated brute force engines.
magpye, I have researched your suggestion on fail2ban some more, and it might indeed be a good answer.
Although there are some who have had trouble getting it to work:
So, there might be a method to get there with this tool, but it sure would be nice if it was pre-configured correctly as part of the distro, and users could simply click to turn it on.
In my view, a primary objective of FreePBX is to make Asterisk easier for all us non-linux people who simply want a decent phone system and to get away from the POTS and proprietary (closed-system) monopoly. The people at FreePBX have done a GREAT job at that.
Now, if we could just add some security solutions that most people really should be using (but many aren’t because they are not linux gurus)
fail2ban is shipped with some distros like PIAF. but not Trixbox (yes just one more reason to not use it)…
As fskrotzki said, fail2ban comes shipped with PiaF.
Personally, I love PiaF, because it fills some of the gaps that aren’t strictly PABX related, and makes administering the system a lot easier.
It uses FreePBX as the GUI for Asterisk, Webmin for the OS and fail2ban is preconfigured, all you need to do is simply download, install, update and configure.
Depending on your familiarity and expertise, you can easily have a system ready for action within a couple of hours, all patched and perky…
It’s not local connections we are concerned with. Remote connections are routed, their MAC addresses are not exposed.
I believe the fail2ban on PBIAF is not configured to monitor SIP registers.
Correct me if this has been updated.
My purpose is I don’t want to give PBIAF a false sense of security on SIP .
Fair enough call, SkyKing.
I found this comment from Ward Mundy, and it sounds like they’ve taken that step towards securing SIP registrations.
Just recently, we’ve added the latest release of Fail2Ban to all PBX in a Flash systems using our software update service.
Fail2Ban blocks SIP and IAX attacks which are becoming more and more prevalent by locking IP addresses out of your server for a specified period of time whenever a designated number of invalid passwords are submitted.
Of course, if you get a user who inadvertently puts in the wrong password for their SIP phone, it could well end up banning them, and you’d have all sorts of fun finding that out…
Ok, cool that is why I indicated my information may be dated.
It would not be that hard to find a user that has been added to the reject table, if you knew their IP address you could dump the current IPtables and grep it or you can grep the fail2ban log for the SIP username. GUI addicts would be a bit lost. Which is the real danger in ‘kitchen sink’ distributions such as PBIAF, so many ways for new users to hose things up.
I think we all agree that having anyone’s phone system compromised hurts the whole community; making it easy to be more secure will help everyone.
I posted the feature requests to
and additional idea to
While your intent is laudable you should learn what Asterisk can do before you begin making suggestions to developers about what it should do.
Bug ID 13950 -
Asterisk does not control the IP stack, Fail2ban and IPtables provide the functionality your are requesting. In fact PBX in a Flash includes a script for setting it up without having to understand the syntax of any of the packages.
Bug ID 13951-
Asterisk has access lists for SIP peers. The command syntax is accept and deny.
For example, if your wanted to allow all private 10 network to pass in the peer you would place:
or for a single class C -