ALERT WhatMeWorry: €11 Million Heist

[boeingpilot]

My system was setup similar to yours. Back when I got started (3 years ago), and people weren't thinking about this I had open SIP ports to my box (wanted to be able to use my wifi phone anywhere); had simple endpoint passwords (hey, who would know I was even running a server).

Well, fortunately one night I was down in my workshop, and the SIP extension rings. Some guy is on the phone and wanted to know why I had left a message seeking personal information. Then I get a whole bunch of these messages in 10 minutes!

Look at my log, and see that some one has registered to my box and has a robot placing robo calls through it! Now I have pay as you go trunks, but also have one SIP phone trunk from Vonage. If this had gone on, my Vonage bill would've gone through the roof! Who knows when they would've pulled the plug!

This scared the daylights out of me, and taught me, time to learn security. I was lucky, you may not be.

Just running Fail2Ban, and having it email me any time it bans some one is an eye opener!. My box gets an attempted hit at least once a week, usually from eastern europe, russia, or china.

Once you've had a box on line for a while, there must be a list running around with your IP, making it a target.

Don't play the odds, lock down your box!

 

[The Deacon]

Here is just a sample of what I see on an almost daily basis:

[2011-02-10 15:29:21] NOTICE[15844] chan_sip.c: Registration from '"2360155315"<sip:[email protected]>' failed for '174.122.169.162' - No matching peer found
[2011-02-10 15:29:21] NOTICE[15844] chan_sip.c: Registration from '"359148351"<sip:[email protected]>' failed for '174.122.169.162' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"2488337430"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"704612339"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"101"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"103"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"104"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"105"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"106"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"107"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"108"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"109"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"110"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"111"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"112"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"113"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"114"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"116"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"117"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"118"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"119"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"120"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"121"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"122"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"123"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"124"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:18] NOTICE[15844] chan_sip.c: Registration from '"125"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found

<SNIP>

[2011-02-10 16:08:20] NOTICE[15844] chan_sip.c: Registration from '"369"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:20] NOTICE[15844] chan_sip.c: Registration from '"370"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found
[2011-02-10 16:08:20] NOTICE[15844] chan_sip.c: Registration from '"371"<sip:[email protected]>' failed for '66.143.207.39' - No matching peer found

My only concern is why does FAIL2BAN allow this many attempts... I've got it set for two attempts from the same IP address...

 

[jroper]

My only concern is why does FAIL2BAN allow this many attempts... I've got it set for two attempts from the same IP address...

It takes a bit of time for Fail2Ban to parse the logs and place the IP block, and if you are being hit hard, then processor will be up through the roof, meaning it will Fail2Ban may not react as quickly as you would like.

What if someone hacks your box and then starts using it to distribute child pornography or spam mail? Your service provider can disconnect or block your service until it is cleared up. Look at it from this point of view: you are guilty until proven innocent.

Here is an example of someone who was falsely accused of downloading child pornography:

See the comments by "Passing_Through" on this old news story halfway down the page - http://www.pcpro.co.uk/news/361693/teenager-jailed-for-refusing-to-reveal-encryption-keys - for a truly shocking example of what could have happened.

For those who don't want to click through, the salient sentence is:-

The resultant publicity led to, breakdown of my marriage, loss of my family, loss my job, ostracised by the community, loss of my house, my health deteriorated and I was near suicidal with depression.

Joe

 

[Tekmon]

OMG, thanks fellows for the realistic reason to be prudent in security.

 

[tm1000]

Someone new just got hacked

freepbx.org/forum/freepbx/users/how-to-secure-my-pbx

 

[mchapman]

Another horror story....

Just wanted to share ....


http://blog.elphel.com/2011/03/hardening-the-asterisk-based-phone-system/

Mike

 

[blanchae]

11 Million EU hack!

Over at SipVicious, he has an article on a VoIP hacking ring that netted a loss of 11 Million EU! The hackers made 1 million EU before being caught.

 

[wardmundy]

Blacklists Suck

For those depending upon Blacklists rather than Whitelists to protect your systems, you will note in the list below from SipVicious that 1/3 of the calls (probably zombies) originated in the good ol' USA:

• 89.42.156.102 - Romania
• 74.115.0.25 - US (San Jose)
• 68.194.64.146 - US - Brooklyn
• 74.115.0.24 - US (San Jose)
• 89.42.194.224 - Romania
• 79.117.27.97 - Romania
• 89.42.187.151 - Romania
• 64.9.175.89 - US (Austin)
• 95.76.211.188 - Romania
• 109.99.35.113 - Romania
• 85.186.123.121 - Romania
• 95.22.116.11 - Spain

 

[Tekmon]

Don't worry bin laden lol .

 

[luckman212]

NAT=yes asks the other end to send audio back on the same port that you send it to them. Hole punched in NAT, everything fine.

is that really true? I always wondered exactly what that option did. It seems rather poorly documented. At least I could never find any definitive guide on those options.

 

[papachumba]

Rather than just rely on iptables, I am using OpenVPN as an additional layer of security.
Only port 1194 is open on my server's firewall, allowing VPN traffic, that is it.

There theres IPTABLES within PIAF which I havent really bothered touching, as its already locked down to the local subnet as far as Im aware (plus extension IP address limits)
So hopefully server is invisible to all but vpn clients.

 

[wardmundy]

FYI: PIAF, as installed, does NOT lock down IPtables. You'd need to add Travelin' Man to do that. As long as your hardware-based firewall doesn't have any ports exposed, you should be fine either way.

 

[papachumba]

yes, travellin man 2 & 3 i think installed, i did check iptables quickly too see what was open...

 

[Antony]

The following is based on my current understanding so if I get something wrong please tell me.
I am also looking from the viewpoint of having to support roaming users on the Interwebs.
I have read a bit about security (at least enough to be dangerous) relating to Asterisk and one of the measures reccomended with Asterisk is to never use the Extension number as the login/authname.
By default freepbx does use the extension number. This makes it easier for the bad guys to use scanning programs to scan and test/crack passwords as they can generally guess a starting point (e.g. 701). Also FreePBX doesn't let you use a different alpha/numeric 'authname' when setting up an extension.
An alternative is to change freepbx to Device and User mode (in Advanced settings). Then you can use say a random numeric DeviceID (login/user name) of say 20 digits together with a long alpha numeric secret, for each device and then permanently connect that device to an Extension, or use it as intended and have a user login to a device.
I haven't seen this suggested on this forum or on the PIAF website. Am I missing something? Is there a reason which negates this as a security measure?
Look forward to getting some feedback.
TIA
Antony

 

[Joe the geek]

We are using Device/User mode. Be aware Commercial Endpoint Manager does not fully support this mode: setting up and mapping endpoints to devices and users gets VERY confusing.

 

[wardmundy]

Antony: Welcome! The reason you won't find a lot of discussion about changing from Extension mode to Device and User Mode is because we strongly recommend running your server behind a secure, hardware-based firewall with no Internet exposure to your PBX. Where you have remote users to support, we have two WhiteList products that work well with port UDP 5060 only mapped to your server. Travelin' Man 2 lets the end-user manage his or her remote IP address while Travelin' Man 3 manages remote IP addresses using a service such as DynDNS.com in conjunction with a client at the end-user's location. Without a WhiteList, we would never recommend exposing any ports from your PBX to the Internet. There simply have been too many (undiscovered) security vulnerabilities over the years. With a WhiteList, you don't have to worry about it.

 

[Antony]

wardmundy. Thanks for the welcome.
I understand the recommendation regarding running behind a hardware firewall. With our organisation this isn't practical as we don't have a single location that is manned all the time. So we are going the hosted route. The plan is we will set up VPN tunnels between our 'permanent' locations and the hosted PIAF.
Travelin' Man 3 is already running whilst I get more familiar and start the configuration and will be used for the mobile users who cannot use VPNs.
Running Device / User mode appears to be another level of protection. As it doesn't appear to be discussed here I am wondering if I am missing anything or if there is a reason it is not a viable security measure.
Antony
BTW thanks for a great resource!

 

[wardmundy]

Many of our utility apps for PIAF have been written anticipating a standard extension setup. If everything is behind VPNs, then you really have little to worry about. But, if it makes you sleep better, then by all means go for it. There's plenty of low hanging fruit for the bad guys without spending too much time trying to crack 8+ character extension passwords. Fail2Ban would get in their way even assuming it was possible.

 

[wardmundy]

 

[krzykat]

Ouch - I guess another reason to A) don't do updates unless you need to and B) Use PIAF over Elastix