[asterisk-users] Am I cracked?

Mon Jun 8 15:39:10 CDT 2015

> > Make sure you have solved the problem. You don't want to get hit with 
a 
> > phone bill for calls from your location to Israel. Basically, they are 

> > hoping that you are running the equivalent of a mail server open 
relay. 
> > They are trying to use you to dial out to another number. You don't 
want 
> > to pay for these calls.
> 
> Of course, but how can I test, if I am an "open relay"?
> 
> > The calls are being dumped into your default context. It's not 
matching on 
> > your gotoif statements, so finally it is trying to execute this:
> > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") 
in 
> > new stack
> > 
> > Not sure what trunk pbxluca is, but if that is an outbound trunk, then 

> > this is very bad. The only reason it would fail then is if they have 
the 
> 
> This is one of my outbound trunk...
> 
> > outbound dial pattern wrong, which is a sure sign that you are open in 
the 
> > future to having someone make this kind of call in a way that does 
work 
> > and leaves you on the hook. Based on your email address, I am guessing 
you 
> > are in Germany. Looks like they almost have the correct outbound 
pattern 
> > for dialing from Germany to Israel. It should be 00972592603325 
(notice 
> > the one less zero in the front). Please tell me that pbxluca is not an 

> > outbound dialing context? If it is, you need to fix this very quickly.
> 
> How can I fix it? Of course, I need to be able to call any phone on this
> world...
> On a Mail-Server I'd restrict outgoing calls to authenticated users. I 
was
> sure, that Asterisk already do that, but I'm not sure anymore...
> How can I restrict it?

I am sure others can chime in, but first things first, you want inbound 
calls and outbound calls to be in different contexts. Don't let your 
default context reach an outbound line. Your registered phones will be in 
a context that can call out which should be different from the default.

Also, make sure that your phones are registering with passwords (secret) 
that are different than the extension number. Makes it harder to guess.

The big thing to keep in mind dialplan wise is to never let an inbound 
call have a path to loop back outbound. The two of the biggest vectors for 
fraud will be allowing a non-authenticated sip call to get outbound over 
your trunks and to have weak credentials that can be cracked that will let 
someone else impersonate your phones.

And you can still wipe out most fraud by restricting the IP addresses you 
let in from the outside world. I prefer to have the most restrictive 
communications I can and then fix it if I discover that something doesn't 
work. Better to fail and fix than to permit and pay for it later. The 
providers I tend to like best not only give me what I need to restrict to 
their IP ranges, but also put in place restrictions on their end to only 
talk to my account from my external static IP address. That way someone 
could figure out my credentials, but if they can't spoof my ip address it 
still won't work. That is dependent on what the provider can do though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/35347883/attachment.html>