[asterisk-users] Unregistred users can pass calls, peer being static

Administrator TOOTAI admin at tootai.net
Wed Jan 27 09:01:44 CST 2010


Olle E. Johansson a écrit :
> 27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:
>
>   
>> Hi,
>>
>> we had an attack on a server and we don't understand how it was 
>> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
>> network 188.161.128.0/18
>>
>> Hacked account had following setup:
>>
>> [111]
>> type=friend
>> username=111
>> context=from-111
>> host=11.22.33.44
>> dtmfmode=auto
>> qualify=yes
>> nat=yes
>> canreinvite=no
>> defaultip=11.22.33.44
>> port=35060
>> disallow=all
>> allow=ulaw,alaw
>> call-limit=2
>>
>> Despite this, I saw in my logs that someone hacked this account and 
>> could place calls! in logs we have:
>>
>> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
>> register, but not configured as host=dynamic
>> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
>> '<sip:111 at ourAsteriskIP>' failed for '188.161.152.245' - Peer is not 
>> supposed to register
>> [Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
>> [972599400749 at from-111:1] NoOp("SIP/111-000016eb", "Incoming call from 
>> AAAA") in new stack
>>
>> As you see 111 could place a call even having not registered, which he 
>> is not supposed to do.
>>
>> How is this possible?
>>     
> [...]
>
> type=friend creates two objects in your asterisk server, one peer and one user. Asterisk primarily match the user objects for incoming calls on the From: username. In this case, you have 111 as the username (regardless of the "username" field which is not the username btw). You have no secret defined, so anyone placing a call from a URI that has 111 as the username part will be able to use your server. Calling from sip:111 at asterisk.org as well as sip:111 at mydomain.com will work without authentication - from any IP address out there. Very poor security indeed.
>
> 1) Add a secret.
> 2) Add ACL rules (permit/deny) to restrict IP address access
> 3) Change to type=peer and we'll only match on IP for incoming calls. I still recommend using authentication.
>   
So the fact that host is setted to an IP doesn't matter in case of 
type=friend. Didn't notice that, thanks for the explanation.
> [..] Make sure you read this and act upon it!
>   
Sure, already done.

Thanks for your answer.

-- 
Daniel



More information about the asterisk-users mailing list