ALERT WhatMeWorry: €11 Million Heist

[wardmundy]

(Moving this discussion from the Nerd Vittles article to the forum...)

I don't understand your reply. Assume a stock install of PIAF which sits behind a hardware router/firewall with all ports blocked. I add a trunk to Vitelity. Outbound calls/traffic work, inbound calls/traffic dont because of the blocked ports. I open up 1 port, 5060, for SIP, to allow inbound traffic from Vitelity. This traffic hits the hardware router/firewall and is port-forwarded/NAT'd to my PIAF box. This PIAF server is now "open to the internet" on 5060 and thus susceptible to SIP-based tom-foolery (although this is NAT'd traffic we're talking about).

When you open and redirect a port on your firewall, it's not just for NAT. It allows all traffic on that port.

I may be reading your article incorrectly, but in it you say that allowing SIP access to your PIAF server is "a bad idea." How is it possible to run a PBX without opening ports for the SIP protocol?

First, all firewalls are not created equal. Some handle SIP and NAT correctly. Others don't. Some support an Application Level Gateway (ALG). Others don't. And some improperly implement ALG so it doesn't work in various NAT combinations. Our article identifies some dLink firewalls that we have found to work reliably with no firewall ports mapped to your server. In layman's terms, think of a SIP conversation as being similar to a session with your web browser. When you visit a web site and the site returns data to your PC, you don't need to poke a hole in your firewall to get the page to display. Same should hold true when you have a registered connection with Vitelity. If not, your firewall isn't handling NAT correctly.

Regarding my 2nd post on the article page: For what it's worth my post was visible after I posted it...but disappeared from your site then mysteriously appeared again after asking if my post was removed. Im sure you have better things to do then moderate...

You're correct. We do have better things to do than moderate comments. But it's one of the necessary evils in running a successful blog unless you want everyone reading about Viagra and poker web sites ad nauseum. So... comments on Nerd Vittles are and will continue to be moderated to eliminate spam. That means that the site shows you your post to confirm that it was received. But it is not visible to others until we approve it. Your original comment was written at 10:30 p.m. last night. We were asleep! We didn't check the site until this morning at which time your post was approved... and appeared.

 

[ppmax]

Thanks for the reply Ward.

When you visit a web site and the site returns data to your PC, you don't need to poke a hole in your firewall to get the page to display. Same should hold true when you have a registered connection with Vitelity. If not, your firewall isn't handling NAT correctly.

Understood--no problems there. But this is *not* true for external requests; IOW if I dont have port 80 open, I cant access the apache server that returns web pages on that port to answer my request. The same is true for external calls coming in to PIAF: if I have a firewall with no ports open, how does SIP traffic (a call from my cell phone to my DID) from Vitelity connect to my PIAF box? Vitelity has distinct connections for inbound and outbound calls and the inbound/external connection *to* Vitelity doesnt appear to be persistent.

Vitelity's support pages provide configuration details and the "outbound" trunk ("outbound" from Vitelity) doesnt require any registration string.

Am I loopy?

thx
PP

 

[jroper]

Hi

Many providers more orientated to the residential market provide a registered account, where the Asterisk server is registered to the provider for inbound and outbound calls as part of an overall package of services.

So the act of registration keeps port 5060 open on your NAT device for calls to come in as well as out, providing they emanate from the same IP address.

However, there are no rules that say you have get your origination and termination from the same place, such is the flexibility of VoIP.

Hence many DID providers, who are often in the wholesale rather than residential market, simply configure DID to go to an IP address in the form sip//[email protected]

in this case, you would have open the SIP ports, and then a little bit of extra protection in your iptables, and in your permit and deny masks would be a good idea.

Joe

 

[wardmundy]

The vitelity-in trunk has a registration string so there should be a persistent connection between your server and Vitelity. Thus, Vitelity knows how to direct inbound calls to your server without opening your firewall.

 

[ppmax]

Thanks for the replies Joe, Ward.

The vitelity-in trunk has a registration string so there should be a persistent connection between your server and Vitelity. Thus, Vitelity knows how to direct inbound calls to your server without opening your firewall.

Apparently Vitelity isnt doing this as closing 5060 on my firewall results in failed calls.

in this case, you would have open the SIP ports, and then a little bit of extra protection in your iptables, and in your permit and deny masks would be a good idea.

So this appears to be the case with Vitelity. I'll do a traceroute on their inbound and outbound domains to verify that in/out connections originate from different IP's and will post back.

Since I've never thought of this before, and this is certainly "new" info to me, adding allow/deny from their "outbound" server sounds like a great idea.

I'll post back once I've done the traceroute

pp

 

[ppmax]

That was easy: just go to Asterisk Info and SIP Info in your FreePBX interface and you'll see connection info:

vitel-outbound/ppmax 64.2.142.29 N 5060 Unmonitored
vitel-inbound/ppmax 64.2.142.13 N 5060 Unmonitored

If anyone else is using Vitelity and is concerned about the security of their box...read the last few posts!

PP

Lastly: I used a different provider in the past and all traffic was handled through 1 trunk. This sounds like an inherently more secure configuration. Maybe you guys could use your considerable influence to get Vitelity to change to one trunk

 

[wardmundy]

Unmonitored in the Sip Peers listing doesn't mean there's not a persistent connection. Look above in the Sip Registry and you should have a Registered entry for both Vitelity and SIPgate (if you are using them). Both can connect calls to your server with no hole in the firewall... if you have a firewall that is doing what it's supposed to do.

 

[ppmax]

Ill check the SIP Registry--not able to access my intranet here at work...FWIW I don't use SIPGate.

Unmonitored in the Sip Peers listing doesn't mean there's not a persistent connection.

True--I was just posting that to show that the Vitelity inbound and outbound connections originate from different IP's...so a persistent NAT'd connection via one IP with Vitelity for in/out calls is probably not happening.

I know my firewall/router supports NAT; my SMC Barricade has been a loyal servant for many years. However it's clear to me now that their config requires me to open 5060 and that I could lock that connection via allow/deny to outbound-vitelity.net

PP

 

[ppmax]

Vitelity and SIPgate (if you are using them). Both can connect calls to your server with no hole in the firewall

So Ward: does this mean that even though Vitelity says I need distinct in/out trunks I can delete the unauthenticated one (vitel-outbound) and all call routing will go through the vitel-inbound route?

Do you use Vitelity in this way?

Argh--is there a default /etc/sysconfig/iptables file? mine seems to be missing. If anyone could post theirs it would be much appreciated.

thx
PP

 

[Bitnetix]

You only need the outbound route to route calls out. You need the register to register with them and accept calls. So if you're just using Vitelity (or others) as an outbound call termination provider, you just need the outbound route specifier.

 

[ppmax]

Thanks Bitnetix--maybe my question wasnt clear:
Vitelity uses two different servers at different IP's for inbound and outbound traffic. The outbound trunk for me (inbound for Vitelity) requires a registration string, is a persistent connection, and thus get's NAT'd through my firewall...and doesnt require me to open or port forward any traffic.

Because Vitelity outbound traffic (inbound for me) comes from a different host at a different IP vs the Vitelity inbound traffic, I need to open/forward port 5060 to my PBX host to receive SIP traffic and phone calls from outside my subnet.

As this is somewhat undesirable, I was wondering if there was a "seekrit configuration" for Vitelity that allows *all* call traffic to occur through a persistent, NAT'd connection with one Vitelity server, which doesnt require me to open 5060.

A single persistent NAT'd connection with a DID termination provider is ideal because it doesnt require any additional firewalling, iptables, etc.

thx
PP

 

[jeffmac]

I'm puzzled by your description, because my Vitelity inbound trunk has a registration string and my outbound does not. It works perfectly well that way for me, and has for a couple of years.

Jeff

 

[ppmax]

I agree it's confusing. The Vitelity trunks are named from their servers perspective.

vitel-inbound requires a registration string. Inbound for Vitelity="outbound" from my server...which doesnt require an open port

vitel-outbound does not require a registration string. Outbound for Vitlelity="inbound" to my server...which requires 5060 open because they are initiating the connection

Anyways, Im keeping my 5060 open and have locked down my iptables to allow outbound.vitelity.net only on that port. See this thread where I posted my iptables rules:
http://pbxinaflash.com/community/threads/incredible-pbx-iptables-file.7512/?t=7512

 

[wardmundy]

ppmax: Your router is your problem. The Vitelity setup works fine with NO Internet exposure for those of us using a decent firewall/router. So let's not inject any more confusion into the mix simply to accommodate the quirks of your particular router.

 

[wardmundy]

ComputerWorld: Security Manager's Journal: Slammed with a $100,000 phone bill http://nerd.bz/9yLpbV

Probably worth rereading our article if you're new to all of this. You'll love the title.

 

[Milliwatt]

2-5-2011, PIAF ver. 1.7.5.5, FreePBX ver. 2.8.0.2, CentOS 5.5, Intel D510MO atom architecture

Warnings about $100,000 unwarranted phone bills are probably justified for large systems but I not sure the warnings apply to smaller SOHO style systems. The above system contains no FXO cards, 5 FXS ATA remote cards (Grandstream) and is connected to the outside world (two DID trunks, 1 outbound trunk) through one common provider (CallCentric). The calling plan chosen is a per-minute plan where even $100 buys quite a bit of talk time. So I'm trying to figure out if high security complex passwords are necessary for all devices plus the PBX. If someone hacks into the system and clones a phone or even compromises the CentOS box, what is the worse case potential result? Can someone explain how I can be ripped off for more than $100 max. What am I missing?

 

[atsak]

. What am I missing?

This will sound a little cheeky, but you're missing the point.

The point of having good security is not only to protect your own resources but also to prevent those resources from being used for nefarious purposes. What if one of those idiots running the problem of the moment terrorist group decides to hack your server then use it to plan the next big thing? What if some DDoS folks hack it to use it for phishing a bank, which is reported to your ISP and they disconnect your service while you sort it out (which is part of my day job, by the way, and we do all the time).

Do you have insurance on your belongings in your house? Do you still lock the door to protect those things when you go out?

So indeed while you might only be out $100, there's lots of other scary stuff out on the net. Being a responsible netizen means trying your very best to keep things protected (which is one of the reasons I chose PBX in a flash for the installs I have to do, by the way).

 

[blanchae]

What if someone hacks your box and then starts using it to distribute child pornography or spam mail? Your service provider can disconnect or block your service until it is cleared up. Look at it from this point of view: you are guilty until proven innocent.

 

[randy7376]

Wireless router hijacked for child pornography

I was just reading this earlier in the week and seeing this thread reminded me of it. It's a good example of what can happen when you're not paying attention to security - at all levels.

Fortunately, for the gentleman in this news story, it worked out. You might not be so lucky.

http://www.heraldtribune.com/article/20110131/ARTICLE/101311038

Lastly, go get yourself a copy of 2600 Magazine if you want to know more about what you're potentially up against.

 

[Milliwatt]

Thanks for the replies -

I want to thank everyone who took time to respond. For those who are interested 8 years ago I was doing minor business with the Russian Business Network based in Moscow (I live in Colorado). The box I was using at the time was a Windoze box and it survived just fine. My only casualty was a stolen credit card number. Since then I've only had one box out of six compromised. Again a Windoze box with a weak/no password. I've never had a Debian based Linux box compromised (running four of them) but I now may be a bigger target with the Asterisk box?

My major concerns today are ISPs and major carriers that also offer telephone service. It appears to me they could easily play games with port blocking to frustrate VOIP users. The ISP I use also sells single line phone service using a simple Cisco box installed on the WAN side of the router. I don't believe they have a clue, at this point, there is a full functioning Asterisk system behind the router that I own.

My other concern is Denial Of Service attacks. The last report I saw showed an incredible number of Windoze infected boxes with Zombie Trojans. A large percentage of these are reported to exist inside the U.S. and inside corporate networks.

Thanks again for your replies