[Asterisk-bsd] Securing Asterisk with a DID

Frank Griffith glassdude45 at yahoo.com
Mon Aug 30 09:10:26 CDT 2010 

Thanks again. I really appreciate any advice that can help me identify how they 
gained access. I don't think it's a process of them gaining access through my 
DID. I enabled the full logging in logger.conf and a few things popped up in the 
full log which show me a few things. I have limited knowledge about all this so 
I could use more input on what this means. But apparently they did something to 
gain access by trying to register several IP address at once.

Aug 29 23:11:51] NOTICE[92568] chan_sip.c: Registration from 
'"94.23.222.75:5060.....85.31.178.110.....203.174.41.18....190.10.27.80"<sip:100 at 98.242.233.74>'
 failed for '188.161.221.100' - No matching peer found
[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 
87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100 at 98.242.233.74>'
 failed for '109.253.85.228' - No matching peer found
[Aug 30 00:37:40] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 
87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100 at 98.242.233.74>'
 failed for '109.253.85.228' - No matching peer found

NOTICE HERE THE LOGIN FOR EXT #100 FAILS BECUASE THERE IS NO EXT #100
BUT ONLY 5 SECONDS LATER THEY WERE IN AND DIALING A CALL
IP ADDRESS 109.253.85.228 ORIGINATES IN ISRAEL

[Aug 30 00:37:55] VERBOSE[92568] logger.c:     -- Executing 
[011972599544327 at default:1] Set("SIP/98.242.233.74-00000004", 
"CALLERID(all)=xxxxxxxxxxx") in new stack
[Aug 30 00:37:55] VERBOSE[92568] logger.c:     -- Executing 
[011972599544327 at default:2] Dial("SIP/98.242.233.74-00000004", 
"SIP/xxx/011972599544327,,wWFotThH") in new stack
[Aug 30 00:37:55] VERBOSE[92568] logger.c:     -- Called xxx/011972599544327
[Aug 30 00:37:56] VERBOSE[92568] logger.c:     -- SIP/xxx-00000005 is making 
progress passing it to SIP/98.242.233.74-00000004
[Aug 30 00:37:58] VERBOSE[92568] logger.c:     -- Got SIP response 402 "Zero 
balance" back from 204.74.213.5
[Aug 30 00:37:58] VERBOSE[92568] logger.c:     -- No one is available to answer 
at this time (1:0/0/0)
[Aug 30 00:37:58] VERBOSE[92568] logger.c:     -- Executing 
[011972599544327 at default:3] PlayTones("SIP/98.242.233.74-00000004", 
"congestion") in new stack
[Aug 30 00:37:58] VERBOSE[92568] logger.c:     -- Executing 
[011972599544327 at default:4] Hangup("SIP/98.242.233.74-00000004", "") in new 
stack
[Aug 30 00:37:58] VERBOSE[92568] logger.c:   == Spawn extension (default, 
011972599544327, 4) exited non-zero on 'SIP/98.242.233.74-00000004'
[Aug 30 00:38:00] NOTICE[92568] chan_sip.c: Registration from '85.43.196.74 ... 
87.236.186.110...202.43.190.195..202.43.190.195..203.215.155.38<sip:100 at 98.242.233.74>'
 failed for '109.253.85.228' - No matching peer found




________________________________
From: Vahan Yerkanian <vahan at arminco.com>
To: Asterisk on BSD discussion <asterisk-bsd at lists.digium.com>
Sent: Mon, August 30, 2010 9:42:35 AM
Subject: Re: [Asterisk-bsd] Securing Asterisk with a DID

  On 8/30/10 4:34 PM, Frank Griffith wrote:
> Executing [011972599544327 at default:1]
This is perhaps one of the worst things you can ever do with Asterisk - 
putting toll access into the default context. Never put anything you 
don't want to be accessible to unauthenticated guests there.

Your Asterisk server with that config is an open gateway, and anyone can 
dial through it if they try to dial SIP/011something at your_ip.

Solution: move everything out of the default context in extensions.conf 
or .ael, leaving it empty, and place all the extensions instead in a 
different context.

Assign your devices and/or DID accounts to that context so the 
extensions are still available to them, f.e.

[myDIDprovider]
type=user
host=ipaddr_or_hostname
context=my_context
disallow=all
allow=whatever_codec(s)
qualify=yes

[201] ; a sip account
type=friend
host=dynamic
secret=verysecretandlonghash
context=my_context
disallow=all
allow=whatever_codec(s)
qualify=yes

These are rough examples, but should be enough for the start. Yeah, and 
make sure you have alwaysauthreject=yes in sip.conf

Hope this helps,
Vahan


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Asterisk-BSD mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-bsd



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-bsd/attachments/20100830/a2fe61d4/attachment.htm

More information about the Asterisk-BSD mailing list