Newbie’s SIP Navigation Guide for Asterisk: Is It Safe?

It’s Back to School Time at Nerd Vittles today with a wrap-up of our series exploring the symbiotic relationship between SIP and Asterisk® including the most important consideration of all: SIP Security 101, a quick-and-dirty look at the security implications of using SIP with Asterisk. If you read nothing else before you begin your VoIP adventure, move today’s article to the top of your list. It might save you a personal fortune! Think of it as winning the lottery without even buying a ticket. Then we’ll summarize some safe approaches to using SIP with Asterisk. And finish up with a novel way to implement free SIP calling using almost any telephone: POTS phone, cellphone, or any SIP phone.

Asterisk Boot Camp: SIP Security 101

By default, most Asterisk systems including those relying upon FreePBX® are configured to deny anonymous SIP calls. If your server has a fully-qualified domain name, it means SIP calls to 201@myserver.com will fail. Since SIP URI calls are free from anywhere in the world, that’s a big deal. The million dollar question is why not just enable anonymous SIP calling on your Asterisk server and call it a day. Then anybody can call any extension on your PBX. That’s half of the answer actually: “Then anybody can call any extension on your PBX.” If that were the only exposure by opening up SIP to anonymous callers, many of us could probably live with that. After all, that’s how POTS phones worked for almost 100 years. The difference, of course, is anonymous SIP calls are free and often undetectable regardless of where the calling party happens to actually be. Unlike HTTP requests which preclude users from spoofing the IP address, SIP requests have no such limitation. That means a SIP packet can knock on your door masquerading as a SIP packet initiated from your own server.

Unfortunately, when you expose UDP port 5060 and your Asterisk server to any and all SIP traffic sent your way from the Internet, it means any kind of SIP packet can be sent to your server for processing. That includes login requests to extensions and trunks as well as SIP packets with all sorts of vile code embedded in the SIP headers.

SIP can be used for DDoS attacks from inside or outside of the network, and it is the SBC or other border controller device’s job to handle those types of issues. Common attacks include SIP registration floods, endpoint spoofing, and ENUM attacks.

Without boring you with the details, suffice it to say that SIP vulnerabilities have been discovered regularly in all flavors of Asterisk… as recently as a few weeks ago. And, Asterisk 12 is just around the corner with an entirely new approach to SIP. So, before you open your server to anonymous SIP attacks, ask yourself whether you (and your wallet) believe that we’ve seen the last of the SIP vulnerabilities. Keep in mind that, if an attacker gains access to your server, everything is vulnerable including not only your internal extension credentials but also your account names and passwords with all of your providers. Once they have those, they don’t need access to your server any longer. They can run up phone bills on your nickel using direct connections to your providers.

Believe it or not, there was actually a SIP exploit several years ago where the bad guys embedded some code in a SIP packet that crashed the server when anyone happened to look at the SIP entry in their call logs or CDR reports using a browser. And, before the crash, it relayed some of your most prized Asterisk secrets to the attacker. Remember, many Asterisk passwords are stored in plain text on your server. If you don’t believe it, try these commands after logging into your server and switching to the asterisk user (the user account that runs Asterisk and your Apache web server):1

su asterisk
cat /etc/asterisk/manager.conf
asterisk -rx "database show"
mysql -uroot -ppassw0rd asterisk -e "SELECT keyword,data FROM sip"

If that last one doesn’t scare the crap out of you, then Let Me Google That For You. The simple answer would have been to cleanse SIP headers before writing the contents to the logs. But the “purists” won that battle maintaining that such action would bastardize the call logs by failing to document everything in exactly the way it was received.

So much for security!

As long as we have very secure passwords for trunks and extensions, doesn’t Fail2Ban block hacking attacks after several unsuccessful login attempts? Unfortunately, that depends on the performance of your server and the one being used by the attacker. Remember, neither Asterisk nor the Linux kernel, scans SIP traffic for malware. Fail2Ban operates on the data after the fact by scanning entries in your server logs for matching patterns which you define. And these entries are written to the logs only after Asterisk or your web server has processed the packets. If it turns out the attacker is using a gazillion-horsepower server in the cloud, then your poor little server never gets enough processing time with Linux to actually scan the Asterisk log for failed login attempts. What that means is the attacker can execute thousands, if not tens of thousands, of SIP attempts before Fail2Ban ever springs into action even when you’ve set the threshold for blocking an IP address to as few as three failed login attempts.

We want to stress that this isn’t a diatribe against the developers with regard to security. The point is some of the fundamental design choices made with regard to Asterisk and FreePBX do not lend themselves to safe deployment on a public-facing server without additional layers of security. In the case of PBX in a Flash™, it’s the reason we have implemented Apache-level security on the FreePBX web assets in addition to an IPtables firewall and Fail2Ban. For history lovers, keep in mind that, when Asterisk@Home and trixbox® were in their heyday, none of these safeguards were provided.

We’re going to postpone discussion of SIP encryption and SRTP because of its complexity. Suffice it to say, it’s just coming into its own with Asterisk 11, and it raises new problems of its own, e.g. finding compatible phones. You can try it out using our PBX in a Flash WebRTC Virtual Machine. And here is today’s must-read article on the subject.

What’s the bottom line with SIP exposure of your Asterisk server to the Internet? The short answer is DON’T especially if you’re new to the VoIP and Asterisk world. You’re simply asking for a $100,000 phone bill. Ma Bell & Friends don’t really care who makes calls on your nickel. And, remember, keeping your server behind a hardware-based firewall with no Internet port exposure does not affect your ability to make or receive calls using registered providers. That includes SIP, IAX2, Google Voice, and PSTN calls. It also doesn’t affect your ability to make free outbound SIP URI calls to anywhere in the world even with no provider registrations.

Safely Integrating SIP URIs into Asterisk

The long answer is there is a relatively safe way to implement SIP access to your server from the Internet. First, you can use registered trunks with reputable providers to provide SIP connectivity to your server. This includes PSTN calls to DIDs as well as SIP URI calls in many cases. Let the providers worry about SIP attacks while your server sits safely behind a hardware-based firewall with NO Internet port exposure! There are better tools than Asterisk to avoid SIP disasters and protect against malicious SIP attacks. You can protect yourself by keeping a minimal amount of money in your provider accounts with no automatic replenishment from a credit card. Second, for those that need to connect remote phones to your Asterisk server, you can use Firewall WhiteLists with IPtables to restrict access to only the good guys. Travelin’ Man 3 sets up WhiteLists for PBX in a Flash servers in a couple of minutes.

What you can’t do is rely upon BlackLists of IP addresses to keep the bad guys out. If you’ve ever played Whac-A-Mole, you can appreciate the difficulty of using BlackLists to secure your server. The bad guys can change their identity by simply using different IP addresses or by using the IP address of a compromised PC such as the one sitting in your grandma’s kitchen. In addition, the bad guys have become experts in inserting important (safe) IP addresses in BlackLists which, of course, is extremely problematic if one of those IP addresses happens to be one of your SIP providers.

The silver lining of Asterisk is the ability to make and receive free calls to and from anywhere in the world using SIP URIs. They look like email addresses, but SIP URIs actually connect calls via SIP between SIP servers and endpoints regardless of where they may be on the Internet. In the “old days,” advertising a SIP URI for inbound call access to your server meant exposing Asterisk to anonymous SIP traffic. Not any more! Simply sign up for a (pre-paid) account on VoIP.ms or a FREE account at either sip2sip.info or Anveo.com, follow one of our tutorials to register your account, and you’ll automatically have a free SIP URI for your Asterisk server. No Internet port exposure of your Asterisk server is ever required!

Instead of using some-account-number@atlanta.voip.ms or some-account-number@sip2sip.info as your SIP URI, most folks will prefer a SIP URI that matches your existing domain, if you happen to have one. This Nerd Vittles article will walk you through the process of converting your VoIP.ms or Sip2Sip URI into something more manageable: yourname@yourdomain.com. And, thanks to RentPBX, everyone is more than welcome to use the PBX in a Flash cloaking servers on the east and west coast to manage the SIP URI translation magic. If you happen to be (or would like to become) a PBX in a Flash Forum Guru, there’s another option. We’ll host your vanity SIP URI @pbxinaflash.com using your forum name. Just drop us a note on the forum for details. We’re always looking for subject matter experts on the forum. You don’t have to be an expert in everything, just one topic. If you qualify, please let us know and WELCOME!

Dialing SIP URI Calls with iNUM Using Any Telephone

We’ve saved the best for last again. The only problem with SIP URIs is how to dial them. Most phones don’t have a full keyboard. While you can certainly create a few Speed Dial (Custom) Extensions in FreePBX using sip/joe@schmo.com as the SIP URI dial string for the extension, this isn’t feasible on a bigger scale. What makes more sense is to actually use a phone number to connect the call. We previously have documented the iNum solution that’s available through a number of providers including VoIP.ms and LocalPhone. These calls used to be free with Google Voice until Google changed their mind. Now they’re 3¢ a minute. But they’re still free calls with most providers. The only real drawback is the length of the phone number. 883510009901997 is a little hard to remember, even to call Lenny. And, with RentPBX, you need a prefix of 011 to add insult to injury. But, hey, the calls are free to anywhere.

There’s a better way that actually uses your SIP URI to make the call. It’s John Todd’s brainchild, FreeNUM with ISN. As the image shows, ISN numbers are easy to remember and easy to dial. Instead of an @ symbol for email, you use an * symbol for you know what. And you still get Lenny! The trick to ISN dialing is that we pass a number such as 1234*1061 to a DNS server that knows how to translate the numeric sequence into a SIP URI that looks like this: 1234@pbxinaflash.com. It takes the number after the asterisk and resolves it to a fully-qualified domain name which is preconfigured at freenum.org. And the result is inter-domain numeric SIP addressing using ordinary telephone instruments.

The Asterisk setup using FreePBX is simple. The FreeNUM trunk should look like this:

The Outbound Route should look like this:

The dialplan context to tack on the end of /etc/asterisk/extensions_custom.conf looks like this:

[freenum]
exten => _X.,1,Set(TIMEOUT(absolute)=10800)
exten => _X.,2,NoOp(Number to Call: ${EXTEN})
exten => _X.,3,Set(isnresult=${ENUMLOOKUP(${EXTEN},sip,,1,freenum.org)})
exten => _X.,4,GotoIf($["${isnresult}"=""]?6:5)
exten => _X.,5,Dial(SIP/${isnresult},40,r)
exten => _X.,6,Background(ss-noservice)
exten => _X.,7,Congestion
exten => _X.,8,Hangup
exten => h,1,Hangup
exten => i,1,Hangup
exten => T,1,Hangup

For those using Incredible PBX™, the good news is you already have it. Just pick up an extension on your system and dial 1234*1061 to give Lenny a piece of your mind. It works exactly like this SIP URI: sip/1234*1061@freenum.org. For everyone else, believe it or not, we’ve already written about this back when some of you still were in diapers. So read the article for all the details and ISN registration instructions. You will note that in more recent versions of Incredible PBX (including what we’ve shown above), the ** prefix for ISN calls has been eliminated. Now you can dial ISN calls just as described in the FreeNUM literature. We’ve also migrated our ISN domain from sip.pbxinaflash.com to pbxinaflash.com to simplify DNS administration. For PBX in a Flash Forum Gurus, we’ll be happy to set you up with your own free ISN number in the pbxinaflash.com domain as well.

Dialing SIP URI Calls with IPKall Using Any Telephone

There’s yet another option. With an IPKall DID from one of several Seattle area codes, you can interconnect your SIP URI with every PSTN phone in the world. And it’s free. Just make at least one inbound call a month, and the phone number is yours to keep. Here’s the easy way to do it. Just sign up for a free DID at www.ipkall.com. After choosing an area code for your free number, you’ll be prompted for the following information.

Here’s what you’d enter using your free Sip2Sip URI:

  • Phone Number: 323XXXXXXX
  • SIP Proxy: sip2sip.info
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Here’s what you’d enter using your free Anveo SIP URI:

  • Phone Number: 1555ACCOUNTNUMBER
  • SIP Proxy: sip.anveo.com:5010
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Once you’ve completed the form, submit it and wait for your new phone number to be delivered in your email. You should get it within a couple minutes so check your spam folder if you don’t see it. Congratulations! You’ve done everything you need to do for anyone to call you using either your SIP URI or your new DID from IPkall.

It’s worth noting that IPKall recycles DIDs that aren’t used for 30 days. If you use Incredible PBX, the easiest way to assure you don’t lose your number is to set up a weekly recurring Telephone Reminder that calls your IPkall number.

But How Do I Make VoIP Calls to Plain Old Telephones?

We’ve spent a lot of time on free SIP solutions for inbound calls, but inevitably you’re going to need a way to call Plain Old Telephones whether they be customers or friends and family. To make outbound calls or terminations in VoIP parlance, you’re going to need an account with a VoIP provider. If you’re in the United States, you still can get one or more free Google Voice accounts. These accounts let you make unlimited calls to anywhere in the U.S. and Canada. Both PBX in a Flash and Incredible PBX come preconfigured to support Google Voice calling. The scuttlebutt is this may be the last year of the free ride so it’s probably a good idea to try some other alternatives. It’s a good idea anyway because Google has made an art form of “improving” things and breaking VoIP calling periodically. Here’s our “Best of the Best” list of pay-by-the-minute VoIP providers for US48 calls. Lower cost providers are available to call some destinations, but the vendors below provide flat-rate per minute pricing to all US48 destinations. Trunks to support most of these providers also come preconfigured in Incredible PBX. With most of these providers, you set up an account and deposit a small pot of money. When you make calls, the cost of the call is debited from your account. When you run out of money, you can’t make any more calls. For the sake of redundancy, having multiple providers is a very good idea. It costs you nothing to have multiple providers until you actually make calls. Enjoy!

* Free iNUM DID and free worldwide iNUM calling. Tutorial here.


Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.
 

 

Deals of the Week. There’s still an amazing deal on the street, but you’d better hurry. A new company called Copy.com is offering 20GB of free cloud storage with no restrictions on file size uploads (which are all too common with other free offers). Copy.com has free sync apps for Windows, Macs, and Linux systems. To take advantage of the offer, just click on our referral link here. We get 5GB of extra storage which will help avoid another PIAF Forum disaster.

Originally published: Monday, September 9, 2013




Need help with Asterisk? Visit the PBX in a Flash Forum.


 

We are pleased to once again be able to offer Nerd Vittles’ readers a 20% discount on registration to attend this year’s 10th Anniversary AstriCon in Atlanta. Here’s the Nerd Vittles Discount Code: AC13NERD.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Be Sociable, Share!

  1. On the Raspberry Pi platform, substitute “raspberry” for “passw0rd” in the MySQL example. []

One Response to “Newbie’s SIP Navigation Guide for Asterisk: Is It Safe?”

  1. Bruce Ferrell says:

    If “they” have access to your logs, your system IS compromised. “Cleaning” the logs adds no security and hampers use and maintenance… It’s security theater no less than the TSA.

Leave a Reply

Ringbinder theme by Themocracy