[asterisk-users] Attempted break in ?

Alec Davis sivad.a at paradise.net.nz
Mon Jan 11 12:54:11 CST 2010 

If you don't want guest using your asterisk box, make sure sip.conf
'allowguest=no', by default it's 'yes' when commented out.

If you do want guests, make sure the default context cannot dialout, this
allows you to publish your ip address, and allow anyone to dialyou, as one
senario.

Refer https://issues.asterisk.org/view.php?id=15101, Tilghman published a
patch, that might also highlight other areas that are vulnerable. 

Alec Davis


-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of --[ UxBoD ]--
Sent: Tuesday, 12 January 2010 2:26 a.m.
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Attempted break in ?

----- "Robert Lister" <robl at lentil.org> wrote:

| On Mon, 2010-01-11 at 10:45 +0000, --[ UxBoD ]-- wrote:
| > Hi,
| > 
| > I am starting to see a lot of these:
| > 
| > [Jan 10 01:18:56] NOTICE[5627] chan_sip.c: Call from '' to extension
| '33155786056' rejected because extension not found.
| > [Jan 10 01:52:47] NOTICE[5627] chan_sip.c: Call from '' to extension
| '033155786056' rejected because extension not found.
| > [Jan 10 02:26:36] NOTICE[5627] chan_sip.c: Call from '' to extension
| '0#33155786056' rejected because extension not found.
| 
| Yes, looks like it. Make sure that your sip.conf "context=" default 
| context points to a context that cannot make external calls.
| 
| (Or, if your asterisk box does not need to accept connections from 
| anyone externally then restrict what can connect to it with firewall 
| rules or an access-list.)
| 
| Although I had locked down the SIP config already, I was almost caught 
| out recently by one of these attackers, where somebody was trying to 
| make calls over *H323* as that ALSO has a 'default' context similar to 
| sip.conf (although the calls did not succeed because before an 
| outbound call is placed, we check the caller ID is within an expected 
| range, in order to set the correct outbound CLI, but were that check 
| not in place, then it probably would have succeeded.)
|  
| H323 seemed to be enabled by default, so I just disabled the H.323 
| module as we do not use it.
| 
| 
| Rob
| 
| 
| 
| 
| --
| _____________________________________________________________________
| -- Bandwidth and Colocation Provided by http://www.api-digital.com --
| 
| asterisk-users mailing list
| To UNSUBSCRIBE or update options visit:
|    http://lists.digium.com/mailman/listinfo/asterisk-users

Naughty people ;) yeah inbound SIP context is locked down.

--
Thanks - Phil

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list