|Summary:||ASTERISK-13828: Asterisk allowed access by anonymous SIP user|
|Reporter:||David O Reilly (trendboy)||Labels:|
|Date Opened:||2009-03-25 10:09:54||Date Closed:||2011-06-07 14:00:18|
|Description:||I am not sure how to go about investigating this and I hope it is appropriate for bug reports but last night my system was hacked yet I thought I had a very hard system.|
I have a feeling it was because I submitted a bug that got fixed but in the process gave my system config settings namely iax.conf which showed the string I used in my extensions.ael to dial out.
Somebody managed to log in without a username and password from what I can make out and place calls on the iax channel. Thankfully I had no credit with my voip out provider so it didn't cost me money. But in the meantime I have had to completely lock down my system to only accept connections from my home ip as set by my firewall.
Please let me know what details you will need from me and I will gladly provide them however I will need to be very careful about posting settings. I've renamed everything with SHA1 passwords and using Irish language names for channels etc to make it extremely hard to guess.
My guess is that somebody managed to gain access with sip and then sent hundreds of calls through the out channel through some kind of dialer script to numbers in Eastern Europe. I have of course reported this to the ISP of the offending IP but of course that must have been a hopping station only so hopefully they will search their logs and hopefully trace it back to the source.
Here are two lines from the CDR:
2009-03-24 16:47:14 "asterisk" <asterisk> asterisk 0037322483581 default SIP/220.127.116.11-09da9128 IAX2/out-1497 Dial iax2/out/0037322483581 8 6 ANSWERED 3 1237913234.1077
2009-03-24 16:47:15 "Unknown" <Unknown> Unknown 00380449536745 default SIP/18.104.22.168-09da5230 IAX2/out-516 Dial iax2/out/00380449536745 8 7 ANSWERED 3 1237913235.1081
It is amazing that anybody was able to get through with UNKNOWN as the clid and src field.
A "much changed" snippit from sip.conf
Then my settings for sip which I really want to leave out unless I really have to add them.
If this is a bug then it means everybody with an asterisk 22.214.171.124 is in big trouble!!! :( setting up a firewall to only let specified hosts connect is not a long term solution at all as you can imagine.
Thanks a mill in advace!! and please let me know if you need anything to help work through this.
I can't try it in a later rc version as I have no idea how this person managed to hack in the first place :(
|Comments:||By: David O Reilly (trendboy) 2009-03-25 10:45:04|
Let me know if you need anything from my system tilghman and thanks for taking the case in advance.
One thing I did notice is that I have some of the default config files from the installation. I have a users.conf file - a file I have never used before and it may be possible that default sample config could have caused this perhaps?
; Full name of a user
fullname = New User
; Starting point of allocation of extensions
userbase = 6000
; Create voicemail mailbox and use use macro-stdexten
hasvoicemail = yes
; Set voicemail mailbox 6000 password to 1234
vmsecret = 1234
; Create SIP Peer
hassip = yes
I am commenting out those lines now.
By: Tilghman Lesher (tilghman) 2009-03-25 12:06:40
No, users.conf is not the cause. In the default configuration, it only sets up settings that would be used as defaults, had you added additional sections.
More likely is that somebody cracked one or more of your SIP accounts, by running through possible usernames and then running password retries against valid usernames. Are any of your SIP passwords all-numeric, by chance?
By: David O Reilly (trendboy) 2009-03-25 18:28:40
That would sound likely alright but on this system it is very unlikely as I created the password like kd9Xie7J2 The usernames were 500 600 and 700.
But would I be right in thinking that if somebody cracked it their SRC in the mySQL CDR records would be their SIP account, so say SIP/700-088b37c8 like it is when we call for real? It was so strange to see "UNKNOWN" and "Asterisk" as the source.
Is it possible that there is some sort of "general" account that they could use to login without a password? Another idea came to mind that maybe they came in on the back of a SIP or IAX2 channel, for example:
I can't imagine how this would happen but it is a mystery as to why it happened at all and worse yet could happen again.
By: David O Reilly (trendboy) 2009-03-25 18:30:29
Another example in my IAX.conf is:
Is it possible that somebody could come in as that claiming to be iax.blueface.ie? I have no passwords there.
By: David O Reilly (trendboy) 2009-03-25 18:57:18
Another point on that, legit calls that come in get this in the log:
-- Accepting UNAUTHENTICATED call from 126.96.36.199:
> requested format = ulaw,
> requested prefs = (),
> actual format = g729,
> host prefs = (g729),
> priority = mine
So I am guessing that it is possible that somebody could use this to go in on the back of this seeing it is coming up as UNAUTHENTICATED
By: Tilghman Lesher (tilghman) 2009-03-26 11:10:39
Do you have allowguest=no in the [general] section of sip.conf? (The default is to allow guest access.)
By: David O Reilly (trendboy) 2009-03-26 13:35:21
Yikes!!! I never ever came across that Tilghman.
Could I log a feature request of some sort to have that changed in future releases to be allowguest=no as default?
I will write an article about it on voip-info.org to warn people as I am nearly 100% sure that would have been it!! I have added the no directive in now.
Is it the same for iax.conf?
I still have debug mode on asterisk to hopefully catch any hacking attempts on it so hopefully that new directive will have sorted it.
By: David O Reilly (trendboy) 2009-03-26 13:36:54
Just in the interest of investigation what username and password is the guest account on sip.conf?
By: Tilghman Lesher (tilghman) 2009-03-26 15:01:02
The guest account, by definition, has no username and no password. The idea is to allow anybody to be able to contact you, simply by entering your SIP URI, with no prior knowledge. The typical method of securing same is setting the default context in the [general] section of sip.conf to a context which is meant for this purpose and setting authenticated users to a completely different context, which affords them additional privileges (such as calling out).
The reason I did not suggest this at first is because you had stated that you thought that your configuration was secure, so I figured that you must have already worked to isolate (or disable) the sip guest account.