Call From a strange extension

Discussion in 'General' started by Mirko87, Sep 15, 2009.

  1. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi all,
    this mornig when I arrived here in office, I get a look at the logs, and I saw the Image I have attached...
    You can see that at the 3.22 am, I have received a call from "Me" Extension... but this extension isn't in my PBX, and I've just checked the IP source and I see that It came from London... (but I think it's dynamic... so that it could be changed from tonight)...

    What do you think? It's a banal error, and the caller digited the wrong number to call, or it is something else?!?

    Best Regards,

    Mirko

    ps: save image on your PC to see it in the right dimensions.

    [​IMG]
     
  2. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    This is similar to the Jackson 1 people were getting, I had the " me " show up on some systems last month but fail2ban kicked in and stopped the attempt to guess the passwords
     
  3. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    So that, What's happen? Someone had logged into my PBX?


    Regards,
    Mirko
     
  4. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Mirko

    Have you got "Allow Anonymous SIP" turned on in your general page??

    Regards

    Bob
     
  5. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Yes, I've got "Allow Anonymous Inbound SIP Calls" set to "Yes"...

    It is a problem?

    Regards
    Mirko
     
  6. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Mirko87,

    Have a read of this article here first kindly posted by WiseOldOwl- it is relevant.

    http://www.elastix.org/index.php?option ... =116#19453

    To be fair it is not a wide open gate for hackers to hack your system, but allowing anonymous SIP is a kink in your defences. A hole that they can plug away at until they get lucky. What's worse is that a change to the configuration of another SIP trunk could inadvertantly open the flood gates.

    The main issue is that many turn on the "Allow Anonymous SIP" without fully understanding the consequences, in fact many turn it on because their phones or ATA or Trunk connection doesnt work without it turned on. In most cases it is usually due to poorly configured phones or device, and they read up that turning this on may fix their problem. They do so, everything works, and it is never looked at again until they get hacked. To be fair again, it is usually because these SIP devices may come with poor documentation. This coupled with a poor understanding of how to setup authenticated SIP connections, along with barebones structure for trunks in Freepbx (this is necessary to allow a large number of different trunk capabilities, causes this issue.

    To provide you with a further example. The GP710 Sip to Bluetooth device, has some poor documentation. Every example I found posted on the Web done by others, went for the basic unauthenticated SIP connection. This was not suitable, so it was necessary with the SIP Debug and plug away with changes, monitoring the SIP requests and responses for authentication until it worked.

    There is some occasions that it is necessary to turn this on, such as ENUM or some devices SIP implementation is so basic, that it will not work with it turned off.

    The other issue is that SIP is not understood by many. Every implementation can have its flaws, Asterisk could release a flawed version tomorrow, and whilst your system was solid today, it might not be tomorrow. Many of these hackers, know these flaws, run kiddy scripts to probe these systems using the SIP ports, as soon as they have some live ones, put them into a database that will be used for their low-cost calling card service which provides users with cheap international phone calls. The headers are normally spoofed, so trying to track it back, unless you have some good perimeter diagnostic tools is a pain. Improvements including certs will help sort this out, but again, it increases the complexity, and many do not fully understanding it. How many web sites have you come across, where the SSL cert works in one area, not in another, or it expires etc.

    I have seen this hacking first hand on many systems (usually systems we have been asked to take over), so it is real. We take it seriously. In fact, we actually have documents for clients to sign whenever a client wants to turn on either Anonymous SIP or Enable DISA. These documents state that there is a risk, explains these risks and they sign it to state that we have informed them of this. It further states that the client does not hold us liable for any costs or damages directly or indirectly related to the enabling of these items. Almost every time we whip out the document, they have second thoughts. Especially with Anonymous SIP, it is another vendor (usually of a SIP device that the client wants to connect) that has told them that it is necessary and won't cause them any issues.

    Hope this helps.....

    Regards

    Bob
     
  7. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    And how about having two Elastix installations. One for the "indors" that have access to the PSTN with analog/digital lines and a virtual machine for the remote extensions. That way the internal PBX won't have access to the Internet and the external is a virtual machine. If get hacked for what ever reaosn, you can allways turn it of and lounch a clone image of the virtual machine.

    Regards,

    Rafael
     
  8. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Thank You Bob... And Rafael too...
    I've readed your post, great help for me...
    Now, I've started to enforce my security... I've just install Fail2Ban...
    Now, it's time to test...

    If I've some doubt, I'll post here again... :)

    Regards,
    Mirko
     
  9. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    No problems Mirko,

    Appreciate you taking the time to read it....and replying.

    Just one other thing I wanted to note, that I may not have in the post....

    Some people do need to run Anonymous SIP for whatever reason. If this is the case, then the safest way is to limit the SIP Ports on the router/firewall. From your VSP find out what the public IP addresses of their server is, and set your router to only allow SIP from these addresses.

    Even with IAX, I have most systems allowing only IAX from their VSP IP addresses only, and/or their remote office.

    With any security, it is always better with several layers, and in almost all cases provide a perimeter. This is why I am not a fan of fail2ban. It performs a great job, however it does not provide that separation (unless you are running it on a perimeter Linux box).

    Regards
    Bob
     
  10. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    That is a good method... More and more safe of Fail2Ban...
    At the moment my office router is a base router that can't limit the connection on the IP's check... But I think I'll change it...

    But in case the VSP change the IP of the Server? Is it possible?


    Regards,

    Mirko
     
  11. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Definitely worth changing the router if that is the case. It is worth investing a little money for a Firewall/Router, one which provides control on both the ip address and the port ranges.

    Be aware come of the lower end firewall routers only provide single port control not a range. So have a look. The Draytek series do have these features, and work extremely well with Asterisk based systems, including some decent outbound QOS features.

    Yes the VSP's sometimes do change their IP addresses, but the good VSP's, the ones that usually understand business up time, normally will inform their clients that they are making major changes to their infrastructure and if their IP addresses are going to change.

    Over 4 years with one VSP, they have made this change once, and they did send a notice out, telling their clients that their IP addresses will change and that if you have any hard coded addresses in your configs or set on the firewall, to change them or allow this further range of IP addresses.

    Again I hope this helps

    Bob
     
  12. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Good Morning Bob...

    I've thinked about your advice, and I decided to permit only the VSP IP on the 5060 port of my PBX...
    At the moment my Router is not professional... But can I set up the linux firewall iptables to deny the other IP?
    What do you think about?

    Regards,

    Mirko
     
  13. Bob

    Bob

    Joined:
    Nov 4, 2007
    Messages:
    2,400
    Likes Received:
    1
    Mirko,

    Just be aware that you also need to open ports 10000-20000 UDP as well, otherwise you will connect but possibly with no voice.

    As mentioned, it is not ideal, however Linux IP Tables is a very mature system, and in the absence of a perimeter device (performing the security), it is the next best thing.

    With security there are no absolutely strict rules, other than following some basic methodologies and concepts. No matter what, no system is going to be 100% secure, just like no computer will be completely immune to Viruses just because you bought the latest and greatest Virus checker.

    Security is as much as you want it to be, and can afford to spend. If the Firewall/router router is out of the budget, then you aim for a compromise, and at least one that you feel comfortable with. Like IP Tables, it basically costs you nothing, its a reasonable compromise, and well worth the effort to add it to your arsenal of security.

    Regards

    Bob
     
  14. donhwyo

    Joined:
    Aug 8, 2008
    Messages:
    293
    Likes Received:
    0
    There are a number of firewall / router distros out there if you have a spare pc laying around. Pfsense or untangle to name 2. I use Untangle and like it but it is not totally just plug and play for asterisk and requires some tweaking. But it works well and has some nice features and openvpn in the free version. There is a new version coming out soon. I wouldn't use the windows version but that is just my preference.

    Don
     
  15. Mirko87

    Joined:
    Oct 20, 2008
    Messages:
    128
    Likes Received:
    0
    Hi Don...
    Thank you for the reply...
    In other network where I have a spare PC I use SmoothWall firewall... but here in office I haven't got much space... :) so that I can't keep 2 PC running all day for a specific goal (PBX and Firewall).

    The best thing to do here is to make PBX safe and change my router...

    Regards,

    Mirko
     

Share This Page