Our asterisk server was compromised. some calls were made to Asia countries last weekend.
Thought we have improved our network configuration, we still want to determine how the intrusion was done, we think there are clues in our asterisk log files.
but we don't know what to look for, based in a default asterisk:
This is how I secure my Asterisk server, which has been in production continuously since 2006.
Firewall
Open inbound ports only for necessary services. (You do have to open a wide range for RTP streams, but this generally isn't an issue since nothing normally listens within that port range.)
22/tcp
ssh (for management, of course)4520/udp
DUNDi (if you are using DUNDi)4569/tcp
IAX2 (if you are using IAX)5060/udp
SIP registration10000-20000/udp
RTP - media transportSome devices have a much narrower range of ports they use for RTP streams. For instance certain Cisco (formerly Linksys/Sipura; part numbers begin with PAP, SPA or WRP) devices only use
16384-16482
.Extensions
If possible, restrict the IP address ranges from which SIP clients are allowed to connect. If this is deployed in an office, restrict connections to port 5060 to IP addresses within the locations(s) where the phones are located. If you must accept connections from Internet addresses not within your control, consider blocking country-specific IP address ranges.
Do not use the SIP extension number as the username. If your SIP clients support it, give them all names instead.
Set strong passwords for all SIP extensions. This should be obvious, but isn't always so.
From reading the logs attached to your previous question, I was able to determine that you had a SIP extension defined with the username
1
, with a secret so easy to guess that the attacker got it correct on the first attempt. The extension probably had no secret defined at all.Use
alwaysauthreject=yes
insip.conf
. This prevents attackers from being able to determine if a SIP extension exists via brute force.Use
allowguest=no
insip.conf
. This prevents unauthenticated clients from making calls.Administration
Change all default passwords for your UNIX users, your databases, and your administrative front-ends such as FreePBX.
Set
bindaddr = 127.0.0.1
inmanager.conf
to ensure that the Asterisk management interface is not open to the world.Other
Install fail2ban. I have it configured to block after two failed attempts, but if you have full control of all your devices such that they would never fail to login correctly, you could set it to block after one failed attempt.
If you do not need to make international calls, then have your SIP trunking provider disable the capability at their end. You can also configure your asterisk server not to route such calls.
This should cover the basics, and will keep you out of trouble for the most part. If you deploy any unusual services or write your own custom configurations, you may need to do some additional work to secure them.
We had a similar problem some time back. In addition to Michael Hampton's answer. Three things we did fixed this.
1) Installing fail2ban. What this does is it scans log files looking for password failure attempts. Too many and it will firewall the IP's. It works for more than just asterisk, but SSH and any service you require.
2) Whitelist, or Black list IP's from countries you want/don't want to allow. e.g. Do you want to allow SIP access from China? You can get IP lists from nirsoft
3) If you're trunking or pairing to an upstream provider see if you can get a daily credit limit. This will limit the size of the bill you get from them should either of the first two fail. And if you do detect a problem, at least buy you some time before it really gets out of hand.
I would add 'good monitoring' to the suggestions listed by other answers. Monitor the systems (suggested titles for checking logs are logwatch or logcheck). Look at available asterisk reporting tools (I don't know any titles but the item Asterisk Monitoring lists some) and see whether your upstream telephony provider can monitor your use and alert on unplanned increases of call costs.
There are four types of security you need to consider when setting up a PBX:
1. Perimeter This type of security is usually applied at a firewall (not at the PBX). Most firewalls simply route SIP/IAX/RTP/etc packets to the PBX. So they really dont do any protecting (but they can at least block SSH/telnet/etc connections). The first (accepted) answer references on-host (PBX) rules using iptables. That is not recommended - don't let attackers past the perimeter protection. Know attackers/hackers/fraudsters should be blocked at the perimeter.
2. Asterisk Configuration This is common sense today and most configuration generators already take care of this for you. But if you are working with Asterisk directly then use complex device names and complex secrets. Disable guest access (allowguest) and don't allow meaningful failure responses to attackers (alwaysauthreject). As well, be careful with your dial command (in Asterisk) as the wrong parameter can allow a caller to flash hook and dial any outside line. Change all passwords from default, don't let Asterisk run under root, and if you do choose to use a config generator change the default passwords there too.
3. Hacking Detection (intrusion detection) Tools like fail2ban are trivial (in fact Digium warns users NOT to use fail2ban as a firewall/security device). That said, if you really don't have the skills to setup anything more, then fail2ban is better than nothing. What most people don't realize is that fail2ban depends completely on Asterisk to detect and reject a dial/register attempt before an IP can be banned. So if the attack does not cause these Asterisk errors then fail2ban does nothing. (As well, with fail2ban you are blocking attackers at the PBX, not at the firewall).
Now for the real hacking. How do you know if an attacker is using malformed SIP packets? In that case look into "snort" or other SIP packet analyzers. What if the attacker is rotating through an large subnet if IP's or VPN IP's? Make sure your detection tool can track that. What about block IP's based on geofencing? Advanced firewalls can do this, as can some open source firewalls like "pfsense" and proprietary Asterisk security systems like "SecAst".
Configuration generators (eg: FreePBX) have a poor security history, particularly surrounding exploits to the end-user GUI. If you choose to expose the HTTP GUI to the internet then you better install host based hacking detection such as "tripwire".
4. Fraud Detection Serious hackers intercept packets, and even hack the phones themselves, to steal valid credentials. How do you stop hackers with valid credentials? There are some open source tools to track SIP channels which you could use to detect number of channels by source (write your own detection scripts), or commercial products like "SecAst" which track rate of dialing, number of call setups per second (since fraudsters race to exploit credentials for toll fraud before extensions/IP's/trunks are shut down).
What about detecting a suspicious number of calls to/from particular DID's, as is often the case in toll fraud. Tools like "SecAst" can track those, and even compare to phone numbers known to be used for fraud (even if the attacker keeps his total channel volume low).
Similar to #3, if your users operate in well defined geographic areas then geofence extensions even if they have valid credentials. Advanced firewalls can do this, as can some open source firewalls like "pfsense" and Cisco and proprietary Asterisk security systems like "SecAst".
Summary So, in summary there is a LOT you can and should do to secure your PBX. I've listed a bunch of open source products above that allow you to achieve a reasonable level of security (if your skills are sufficient). I also mentioned some proprietary tools that usually handle all of the above for you, but you will have to spend some money to use them. However, after your first $400,000 phone bill you may find that cheap now means more expensive later (Google $400,000 phone bill Astricon and you will see what I mean)