Weak Passwords on Extensions Equals Hacked Box

Insecure Extension Passwords on Asterisk (VoIP PBXs)

Junction Networks has become aware of four separate hack attempts against our PSTN Gateway customers over the last few days. Three of these customers were Asterisk customers and one was another SIP-based VoIP PBX. After communicating with our customers, it appears that the hack has nothing to do with any sort of Asterisk vulnerability, but with insecure passwords set for extensions. This blog post captures the issue well. Blocking the offending IP addresses at the router level does not help as they will just continue the attack from another address.

The best solution is to create secure passwords for your extensions. The passwords that come with sip.conf must not be used:

;[polycom]
;type=friend             ; Friends place calls and receive calls
;context=from-sip        ; Context for incoming calls from this user
;secret=blahpoly
;host=dynamic            ; This peer register with us
;dtmfmode=rfc2833        ; Choices are inband, rfc2833, or info
;username=polly          ; Username to use in INVITE until peer registers
                         ; Normally you do NOT need to set this parameter
;disallow=all
;allow=ulaw              ; dtmfmode=inband only works with ulaw or alaw!
;progressinband=no       ; Polycom phones don't work properly with "never"

Instead of secret=blahpoly, we would recommend that the password be at least 12 characters. Here are some good sites for password generation:

PC Tools

GRC

Cut and paste the secure password into sip.conf and into the phone. Use a different password for each extension.

Additionally, we would recommend the above strong random passwords in conjunction with limiting the IP addresses extensions can connect from to particular networks. There is some documentation on how to do this in your sip.conf here: http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask

If all of your phones are on the LAN, and your LAN is 192.168.0.0/24 the input would be:

;Deny every address except for the LAN.
deny=0.0.0.0/0.0.0.0
permit=192.168.0.0/255.255.255.0

From the asterisk-security mailing list, Olle Johansson, the maintainer of the Asterisk SIP module had this to say...

[asterisk-security] Person Trying to Register on my Asterisk multiple times
Johansson Olle E oej at edvina.net 
Fri Jan 23 15:51:46 CST 2009

...

Attacks are never fun. Use the ACL (permit/deny) in sip.conf to block this IP or range of IPs at least. 

Or use IPtables. There are a lot of IPtables scripts to prevent this kind of attacks if you look at the solutions for the very common SSH attacks that keep testing multiple usernames. Maybe someone on the list has a version for SIP attempts over TCP and/or UDP?

It's always good to have a bit less obvious peer names than the ones they test. Don't use usernames or extension numbers. Make sure you separate the namespaces. Kevin usually suggest Ethernet MAC addresses, which are harder to guess, but still relates to something even though they do have a well-known pattern.

Finally, it's important to make sure you have good passwords. There's no reason to have simple passwords in something you only install in software in devices or applications. There's no user who has to learn to remember the MD5 auth secrets.

That's my 10 cents. Please, list, fill in and correct me when wrong!
/O