[asterisk-users] Unregistred users can pass calls, peer being static

Olle E. Johansson oej at edvina.net
Wed Jan 27 06:38:46 CST 2010


27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:

> Hi,
> 
> we had an attack on a server and we don't understand how it was 
> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
> network 188.161.128.0/18
> 
> Hacked account had following setup:
> 
> [111]
> type=friend
> username=111
> context=from-111
> host=11.22.33.44
> dtmfmode=auto
> qualify=yes
> nat=yes
> canreinvite=no
> defaultip=11.22.33.44
> port=35060
> disallow=all
> allow=ulaw,alaw
> call-limit=2
> 
> Despite this, I saw in my logs that someone hacked this account and 
> could place calls! in logs we have:
> 
> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
> register, but not configured as host=dynamic
> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
> '<sip:111 at ourAsteriskIP>' failed for '188.161.152.245' - Peer is not 
> supposed to register
> [Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
> [972599400749 at from-111:1] NoOp("SIP/111-000016eb", "Incoming call from 
> AAAA") in new stack
> 
> As you see 111 could place a call even having not registered, which he 
> is not supposed to do.
> 
> How is this possible?
Registration is a mechanism to tell the server where a phone can be reached when the phone wants to call it, thus registrations are only required for outbound calls. Inbound calls are not affected by registrations.

type=friend creates two objects in your asterisk server, one peer and one user. Asterisk primarily match the user objects for incoming calls on the From: username. In this case, you have 111 as the username (regardless of the "username" field which is not the username btw). You have no secret defined, so anyone placing a call from a URI that has 111 as the username part will be able to use your server. Calling from sip:111 at asterisk.org as well as sip:111 at mydomain.com will work without authentication - from any IP address out there. Very poor security indeed.

1) Add a secret.
2) Add ACL rules (permit/deny) to restrict IP address access
3) Change to type=peer and we'll only match on IP for incoming calls. I still recommend using authentication.

There has been a lot of information about how to secure your Asterisk on asterisk.org, this mailing list and in other forums. Make sure you read this and act upon it!

Regards,
/Olle




More information about the asterisk-users mailing list