[asterisk-users] Unregistred users can pass calls, peer being static

[Kevin P. Fleming]

Administrator TOOTAI wrote:
> Olle E. Johansson a écrit :
>> 27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:
>>
>>   
>>> Hi,
>>>
>>> we had an attack on a server and we don't understand how it was 
>>> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
>>> network 188.161.128.0/18
>>>
>>> Hacked account had following setup:
>>>
>>> [111]
>>> type=friend
>>> username=111
>>> context=from-111
>>> host=11.22.33.44
>>> dtmfmode=auto
>>> qualify=yes
>>> nat=yes
>>> canreinvite=no
>>> defaultip=11.22.33.44
>>> port=35060
>>> disallow=all
>>> allow=ulaw,alaw
>>> call-limit=2
>>>
>>> Despite this, I saw in my logs that someone hacked this account and 
>>> could place calls! in logs we have:
>>>
>>> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
>>> register, but not configured as host=dynamic
>>> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
>>> '<sip:111 at ourAsteriskIP>' failed for '188.161.152.245' - Peer is not 
>>> supposed to register
>>> [Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
>>> [972599400749 at from-111:1] NoOp("SIP/111-000016eb", "Incoming call from 
>>> AAAA") in new stack
>>>
>>> As you see 111 could place a call even having not registered, which he 
>>> is not supposed to do.
>>>
>>> How is this possible?
>>>     
>> [...]
>>
>> type=friend creates two objects in your asterisk server, one peer and one user. Asterisk primarily match the user objects for incoming calls on the From: username. In this case, you have 111 as the username (regardless of the "username" field which is not the username btw). You have no secret defined, so anyone placing a call from a URI that has 111 as the username part will be able to use your server. Calling from sip:111 at asterisk.org as well as sip:111 at mydomain.com will work without authentication - from any IP address out there. Very poor security indeed.
>>
>> 1) Add a secret.
>> 2) Add ACL rules (permit/deny) to restrict IP address access
>> 3) Change to type=peer and we'll only match on IP for incoming calls. I still recommend using authentication.
>>   
> So the fact that host is setted to an IP doesn't matter in case of 
> type=friend. Didn't notice that, thanks for the explanation.
>> [..] Make sure you read this and act upon it!
>>   

This conversation brings to mind two possible ways we could improve
Asterisk to help users from falling into this trap:

1) When a sip.conf entry is defined as 'type=friend' *and* has a
specific host IP address (not dynamic), we could just ignore the 'user'
part and create only the 'peer' part. This would result in incoming
calls being matched by IP address instead of username, which is likely
what the administrator wants anyway.

2) Alternatively, if people really do want both the 'user' and 'peer'
objects to exist, then we could automatically put an ACL on the 'user'
object that restricts access to it to only the defined IP address.

This also could apply to dynamic hosts, but only those that are defined
without a secret (no authentication required), which seems like a
terrible configuration and we don't really need to do anything to make
it work 'better' :-)

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpfleming at digium.com
Check us out at www.digium.com & www.asterisk.org