Protect your PBX from a Hack! Use Strong Passwords for Extensions
May
14
2010
Protect your PBX from a Hack! Use Strong Passwords for Extensions Comments: 2
This blog is by Mike, CEO of Junction Networks. It is a reminder particularly for our PSTN Gateway customers. Please read and comment.
We've noticed a recent uptick in security breaches experienced by our Asterisk and other SIP-based VoIP PBX customers.
Very often, the hack has nothing to do with any sort of Asterisk vulnerability, but with insecure passwords set for extensions. And, blocking the offending IP addresses at the router level does not help as they will just continue the attack from another address.
The best solution is to create secure passwords for your extensions. The passwords that come with sip.conf must NOT be used:
;[polycom]
;type=friend ; Friends place calls and receive calls
;context=from-sip ; Context for incoming calls from this user
;secret=blahpoly
;host=dynamic ; This peer register with us
;dtmfmode=rfc2833 ; Choices are inband, rfc2833, or info
;username=polly ; Username used in INVITE until peer registers
; Usually you DON'T need to set this parameter
;disallow=all
;allow=ulaw ; dtmfmode=inband only works with ulaw or alaw!
;progressinband=no ; Polycoms don't work properly with "never"
Instead of secret=blahpoly, we would recommend that the password be at least 12 characters. Here are some good sites for password generation:
Cut and paste the secure password into sip.conf and into the phone. Use a different password for each extension.
Additionally, we would recommend the above strong random passwords in conjunction with limiting the IP addresses extensions can connect from to particular networks. There is some documentation on how to do this in your sip.conf here on voip-info.org.
If all of your phones are on the LAN, and your LAN is 192.168.0.0/24 the input would be:
;Deny every address except for the LAN. deny=0.0.0.0/0.0.0.0 permit=192.168.0.0/255.255.255.0
From the asterisk-security mailing list, Olle Johansson, the maintainer of the Asterisk SIP module had this to say...
[asterisk-security] Person Trying to Register on my Asterisk multiple times Johansson Olle E oej at edvina.net Fri Jan 23 15:51:46 CST 2009
Attacks are never fun. Use the ACL (permit/deny) in sip.conf to block this IP or range of IPs at least.
Or use IPtables. There are a lot of IPtables scripts to prevent this kind of attacks if you look at the solutions for the very common SSH attacks that keep testing multiple usernames. Maybe someone on the list has a version for SIP attempts over TCP and/or UDP?
It's always good to have a bit less obvious peer names than the ones they test. Don't use usernames or extension numbers. Make sure you separate the namespaces. Kevin usually suggest Ethernet MAC addresses, which are harder to guess, but still relates to something even though they do have a well-known pattern.
Finally, it's important to make sure you have good passwords. There's no reason to have simple passwords in something you only install in software in devices or applications. There's no user who has to learn to remember the MD5 auth secrets.
Good Post
Well said Mike. A good blog to follow on the state of SIP and PBX vulnerabilities is usken.no run by Sjur Eivind Usken. Sjur has commented on our blog before. Of particular interest to your point here is this post by Sjur, detailing exactly how these relatively unsophisticated attacks are being pulled off. In the end it comes down to a few things but at the very minimum make sure your passwords are secure.
---
Erick J
Junction Networks Engineer
answer
Some time ago, I needed to buy a house for my firm but I didn't earn enough money and could not buy something. Thank goodness my fellow adviced to get the business loans at reliable bank. Hence, I acted that and was satisfied with my commercial loan.