[asterisk-users] Am I cracked?
Kevin Larsen
kevin.larsen at pioneerballoon.com
Mon Jun 8 15:39:10 CDT 2015
> > Make sure you have solved the problem. You don't want to get hit with
a
> > phone bill for calls from your location to Israel. Basically, they are
> > hoping that you are running the equivalent of a mail server open
relay.
> > They are trying to use you to dial out to another number. You don't
want
> > to pay for these calls.
>
> Of course, but how can I test, if I am an "open relay"?
>
> > The calls are being dumped into your default context. It's not
matching on
> > your gotoif statements, so finally it is trying to execute this:
> > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R")
in
> > new stack
> >
> > Not sure what trunk pbxluca is, but if that is an outbound trunk, then
> > this is very bad. The only reason it would fail then is if they have
the
>
> This is one of my outbound trunk...
>
> > outbound dial pattern wrong, which is a sure sign that you are open in
the
> > future to having someone make this kind of call in a way that does
work
> > and leaves you on the hook. Based on your email address, I am guessing
you
> > are in Germany. Looks like they almost have the correct outbound
pattern
> > for dialing from Germany to Israel. It should be 00972592603325
(notice
> > the one less zero in the front). Please tell me that pbxluca is not an
> > outbound dialing context? If it is, you need to fix this very quickly.
>
> How can I fix it? Of course, I need to be able to call any phone on this
> world...
> On a Mail-Server I'd restrict outgoing calls to authenticated users. I
was
> sure, that Asterisk already do that, but I'm not sure anymore...
> How can I restrict it?
I am sure others can chime in, but first things first, you want inbound
calls and outbound calls to be in different contexts. Don't let your
default context reach an outbound line. Your registered phones will be in
a context that can call out which should be different from the default.
Also, make sure that your phones are registering with passwords (secret)
that are different than the extension number. Makes it harder to guess.
The big thing to keep in mind dialplan wise is to never let an inbound
call have a path to loop back outbound. The two of the biggest vectors for
fraud will be allowing a non-authenticated sip call to get outbound over
your trunks and to have weak credentials that can be cracked that will let
someone else impersonate your phones.
And you can still wipe out most fraud by restricting the IP addresses you
let in from the outside world. I prefer to have the most restrictive
communications I can and then fix it if I discover that something doesn't
work. Better to fail and fix than to permit and pay for it later. The
providers I tend to like best not only give me what I need to restrict to
their IP ranges, but also put in place restrictions on their end to only
talk to my account from my external static IP address. That way someone
could figure out my credentials, but if they can't spoof my ip address it
still won't work. That is dependent on what the provider can do though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/35347883/attachment.html>
More information about the asterisk-users
mailing list