Call From a strange extension

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#1
Hi all,
this mornig when I arrived here in office, I get a look at the logs, and I saw the Image I have attached...
You can see that at the 3.22 am, I have received a call from "Me" Extension... but this extension isn't in my PBX, and I've just checked the IP source and I see that It came from London... (but I think it's dynamic... so that it could be changed from tonight)...

What do you think? It's a banal error, and the caller digited the wrong number to call, or it is something else?!?

Best Regards,

Mirko

ps: save image on your PC to see it in the right dimensions.

 

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#2
This is similar to the Jackson 1 people were getting, I had the " me " show up on some systems last month but fail2ban kicked in and stopped the attempt to guess the passwords
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#3
So that, What's happen? Someone had logged into my PBX?


Regards,
Mirko
 

Bob

Joined
Nov 4, 2007
Messages
2,400
Likes
1
Points
36
#4
Mirko

Have you got "Allow Anonymous SIP" turned on in your general page??

Regards

Bob
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#5
Yes, I've got "Allow Anonymous Inbound SIP Calls" set to "Yes"...

It is a problem?

Regards
Mirko
 

Bob

Joined
Nov 4, 2007
Messages
2,400
Likes
1
Points
36
#6
Mirko87,

Have a read of this article here first kindly posted by WiseOldOwl- it is relevant.

http://www.elastix.org/index.php?option ... =116#19453

To be fair it is not a wide open gate for hackers to hack your system, but allowing anonymous SIP is a kink in your defences. A hole that they can plug away at until they get lucky. What's worse is that a change to the configuration of another SIP trunk could inadvertantly open the flood gates.

The main issue is that many turn on the "Allow Anonymous SIP" without fully understanding the consequences, in fact many turn it on because their phones or ATA or Trunk connection doesnt work without it turned on. In most cases it is usually due to poorly configured phones or device, and they read up that turning this on may fix their problem. They do so, everything works, and it is never looked at again until they get hacked. To be fair again, it is usually because these SIP devices may come with poor documentation. This coupled with a poor understanding of how to setup authenticated SIP connections, along with barebones structure for trunks in Freepbx (this is necessary to allow a large number of different trunk capabilities, causes this issue.

To provide you with a further example. The GP710 Sip to Bluetooth device, has some poor documentation. Every example I found posted on the Web done by others, went for the basic unauthenticated SIP connection. This was not suitable, so it was necessary with the SIP Debug and plug away with changes, monitoring the SIP requests and responses for authentication until it worked.

There is some occasions that it is necessary to turn this on, such as ENUM or some devices SIP implementation is so basic, that it will not work with it turned off.

The other issue is that SIP is not understood by many. Every implementation can have its flaws, Asterisk could release a flawed version tomorrow, and whilst your system was solid today, it might not be tomorrow. Many of these hackers, know these flaws, run kiddy scripts to probe these systems using the SIP ports, as soon as they have some live ones, put them into a database that will be used for their low-cost calling card service which provides users with cheap international phone calls. The headers are normally spoofed, so trying to track it back, unless you have some good perimeter diagnostic tools is a pain. Improvements including certs will help sort this out, but again, it increases the complexity, and many do not fully understanding it. How many web sites have you come across, where the SSL cert works in one area, not in another, or it expires etc.

I have seen this hacking first hand on many systems (usually systems we have been asked to take over), so it is real. We take it seriously. In fact, we actually have documents for clients to sign whenever a client wants to turn on either Anonymous SIP or Enable DISA. These documents state that there is a risk, explains these risks and they sign it to state that we have informed them of this. It further states that the client does not hold us liable for any costs or damages directly or indirectly related to the enabling of these items. Almost every time we whip out the document, they have second thoughts. Especially with Anonymous SIP, it is another vendor (usually of a SIP device that the client wants to connect) that has told them that it is necessary and won't cause them any issues.

Hope this helps.....

Regards

Bob
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#7
And how about having two Elastix installations. One for the "indors" that have access to the PSTN with analog/digital lines and a virtual machine for the remote extensions. That way the internal PBX won't have access to the Internet and the external is a virtual machine. If get hacked for what ever reaosn, you can allways turn it of and lounch a clone image of the virtual machine.

Regards,

Rafael
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#8
Thank You Bob... And Rafael too...
I've readed your post, great help for me...
Now, I've started to enforce my security... I've just install Fail2Ban...
Now, it's time to test...

If I've some doubt, I'll post here again... :)

Regards,
Mirko
 

Bob

Joined
Nov 4, 2007
Messages
2,400
Likes
1
Points
36
#9
No problems Mirko,

Appreciate you taking the time to read it....and replying.

Just one other thing I wanted to note, that I may not have in the post....

Some people do need to run Anonymous SIP for whatever reason. If this is the case, then the safest way is to limit the SIP Ports on the router/firewall. From your VSP find out what the public IP addresses of their server is, and set your router to only allow SIP from these addresses.

Even with IAX, I have most systems allowing only IAX from their VSP IP addresses only, and/or their remote office.

With any security, it is always better with several layers, and in almost all cases provide a perimeter. This is why I am not a fan of fail2ban. It performs a great job, however it does not provide that separation (unless you are running it on a perimeter Linux box).

Regards
Bob
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#10
Bob said:
Just one other thing I wanted to note, that I may not have in the post....

Some people do need to run Anonymous SIP for whatever reason. If this is the case, then the safest way is to limit the SIP Ports on the router/firewall. From your VSP find out what the public IP addresses of their server is, and set your router to only allow SIP from these addresses.

Even with IAX, I have most systems allowing only IAX from their VSP IP addresses only, and/or their remote office.
That is a good method... More and more safe of Fail2Ban...
At the moment my office router is a base router that can't limit the connection on the IP's check... But I think I'll change it...

But in case the VSP change the IP of the Server? Is it possible?


Regards,

Mirko
 

Bob

Joined
Nov 4, 2007
Messages
2,400
Likes
1
Points
36
#11
Mirko87 said:
That is a good method... More and more safe of Fail2Ban...
At the moment my office router is a base router that can't limit the connection on the IP's check... But I think I'll change it...

But in case the VSP change the IP of the Server? Is it possible?
Definitely worth changing the router if that is the case. It is worth investing a little money for a Firewall/Router, one which provides control on both the ip address and the port ranges.

Be aware come of the lower end firewall routers only provide single port control not a range. So have a look. The Draytek series do have these features, and work extremely well with Asterisk based systems, including some decent outbound QOS features.

Yes the VSP's sometimes do change their IP addresses, but the good VSP's, the ones that usually understand business up time, normally will inform their clients that they are making major changes to their infrastructure and if their IP addresses are going to change.

Over 4 years with one VSP, they have made this change once, and they did send a notice out, telling their clients that their IP addresses will change and that if you have any hard coded addresses in your configs or set on the firewall, to change them or allow this further range of IP addresses.

Again I hope this helps

Bob
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#12
Good Morning Bob...

I've thinked about your advice, and I decided to permit only the VSP IP on the 5060 port of my PBX...
At the moment my Router is not professional... But can I set up the linux firewall iptables to deny the other IP?
What do you think about?

Regards,

Mirko
 

Bob

Joined
Nov 4, 2007
Messages
2,400
Likes
1
Points
36
#13
Mirko,

Just be aware that you also need to open ports 10000-20000 UDP as well, otherwise you will connect but possibly with no voice.

As mentioned, it is not ideal, however Linux IP Tables is a very mature system, and in the absence of a perimeter device (performing the security), it is the next best thing.

With security there are no absolutely strict rules, other than following some basic methodologies and concepts. No matter what, no system is going to be 100% secure, just like no computer will be completely immune to Viruses just because you bought the latest and greatest Virus checker.

Security is as much as you want it to be, and can afford to spend. If the Firewall/router router is out of the budget, then you aim for a compromise, and at least one that you feel comfortable with. Like IP Tables, it basically costs you nothing, its a reasonable compromise, and well worth the effort to add it to your arsenal of security.

Regards

Bob
 

donhwyo

Joined
Aug 8, 2008
Messages
293
Likes
0
Points
0
#14
There are a number of firewall / router distros out there if you have a spare pc laying around. Pfsense or untangle to name 2. I use Untangle and like it but it is not totally just plug and play for asterisk and requires some tweaking. But it works well and has some nice features and openvpn in the free version. There is a new version coming out soon. I wouldn't use the windows version but that is just my preference.

Don
 

Mirko87

Joined
Oct 20, 2008
Messages
128
Likes
0
Points
0
#15
donhwyo said:
There are a number of firewall / router distros out there if you have a spare pc laying around. Pfsense or untangle to name 2. I use Untangle and like it but it is not totally just plug and play for asterisk and requires some tweaking. But it works well and has some nice features and openvpn in the free version. There is a new version coming out soon. I wouldn't use the windows version but that is just my preference.

Don
Hi Don...
Thank you for the reply...
In other network where I have a spare PC I use SmoothWall firewall... but here in office I haven't got much space... :) so that I can't keep 2 PC running all day for a specific goal (PBX and Firewall).

The best thing to do here is to make PBX safe and change my router...

Regards,

Mirko
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,913
Messages
130,917
Members
17,589
Latest member
cristian.saiz
Top