Comments on: Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

By: Alex Inoa

Alex Inoa — Fri, 18 Feb 2011 18:53:27 +0000

This is an awesome article

By: ward

ward — Wed, 09 Feb 2011 16:00:35 +0000

And here's another good reminder for those that leave their WiFi routers unprotected. This could be you!

By: ward

ward — Sun, 21 Nov 2010 12:10:29 +0000

For an interesting look at our current efforts to incorporate a VoIP Blacklist into PBX in a Flash, see this thread on the forums.

By: bumi akin

bumi akin — Thu, 04 Nov 2010 13:08:31 +0000

and just a few days ago, this actually happened to someone else. see the story at ComputerWorld: "Security Manager's Journal: Slammed with a $100,000 phone bill"

By: carl

carl — Thu, 20 May 2010 23:57:02 +0000

Guys For a novice the default security errors on the status page show no method of fixing: #Default SQL Password Used #Warning Default Asterisk Manager Password Used How are these changed? [WM: If you are running PBX in a Flash, both of these applications are protected by the root and FreePBX passwords. You can hide the warning messages by following the instructions at this link.]

By: dimmyr

dimmyr — Mon, 15 Feb 2010 09:25:58 +0000

Speaking out of almost complete ignorance about VOIP VPNs – if I connect to my DD-WRT router or a Windows machine with PPTP using my iPhone, and made a SIP call using iSip or any other iPhone compatible software, would the call be encrypted?

[WM: If the call is passing through the VPN tunnel it will be encrypted.]

By: Steve Davies

Steve Davies — Tue, 09 Feb 2010 12:26:12 +0000

I just helped somebody whose box was hacked – and it prompts me just to post.

The article is very much focussed on IP security. But this site was exploited via Asterisk voicemail. They had the "dialout" option enabled in voicemail.conf and the hackers gained access through an insecure mailbox PIN and used the dialout feature to make international calls.

So be very careful about the "dialout" and "callback" options in voicemail.conf.

Regards,
Steve

By: Adam

Adam — Fri, 01 May 2009 01:03:50 +0000

Another option is to use prepaid SIP where account shuts down after the funding is exhausted. I feed mine $20 at a time and that is all I have at risk.

By: Michael Orr

Michael Orr — Mon, 20 Apr 2009 00:30:14 +0000

Excellent article. I have a trixbox system currently powered down. I may have been hacked since the box was making connections out to someone, haven’t had a chance to do an analysis. SBC suspended my DSL supposedly because something from my home network was phishing. Your article and my recent experience just confirms I didn’t harden the system properly. Going to replace the trixbox with PBX in a Flash..

By: Michael S Collins

Michael S Collins — Sat, 31 Jan 2009 19:44:12 +0000

Ward,

Excellent information! This is exactly what users, admins, and especially bean-counters need to know about. A small investment in security can yield big dividends, the best of which is probably being able to sleep at night. 🙂

For those concerned about telecom system security you might also want to check out the way FreeSWITCH does things. It is "secure by default" as the devs are properly paranoid.

-MC

[WM: We like paranoid. We all sleep better. 🙂 ]

By: Ed

Ed — Wed, 28 Jan 2009 18:40:01 +0000

Hi Ward,

Your points about hardening systems are all spot-on. Sad to say I got hacked a few months ago in spite of having hardened my system (FreePBX 1.4).

I check my logs daily, so I discovered a spike in call volume pretty quickly. I took the PBX offline to make backups of all the log files and configuration, then started my analysis to find and close the breach.

It turns out the hacker found my open SIP ports and kept trying to authenticate with various extension/password combinations until he/she found one that worked. They were then able to log into an extenstion on my PBX remotely and place outbound calls. My passwords were short enough that they could be brute-forced and have since been changed.

I’ll be upgrading to FreePBX 1.5, but want to know if under FreePBX 1.4 there’s any way to prevent extensions from logging in remotely.

If I can add to your list, I’d offer the following suggestions:

* Use the PIN feature to restrict access for international calls, or block them altogether. I also use an ENUM trunk to see if the call can be made for free.
* Make sure your passwords are long and complex. They’re stored in your device configuration so you don’t need to enter them each time — you can afford to make one you won’t remember!

And, of course, check your logs regularly!

By: Dan

Dan — Wed, 28 Jan 2009 02:00:41 +0000

I installed PiaF 1.1 and have updated periodically since. I don’t seem to have fail2ban installed at all. I tried to run the fail2ban-update script, but it says I need to have fail2ban installed first. What’s the recommended way to install fail2ban?

[WM: Get your existing system up to date with the latest version of FreePBX and do a FreePBX backup. Copy that backup to another machine. Then install the latest version of PBX in a Flash and get that machine up to the latest version of FreePBX. Create a FreePBX backup. Now copy the off-site backup you previously made to the new backup directory and restore it using FreePBX. Finally, run the fail2ban-update script again, and you’ll be all set.]

By: Andrew

Andrew — Tue, 27 Jan 2009 16:31:12 +0000

One additional thing I do b/c I have phones that connect to my server using dynamic IPs is that I add the PIN feature to any long distance or international calls. Each person is assigned their own PIN. It’s a small thing, but it’s one extra step to prevent automated calling in case someone did manage to guess our extensions and passwords.

By: John Senay

John Senay — Tue, 27 Jan 2009 15:26:49 +0000

Ward,

I think you need a good tutorial on how to use ssh to build a tunnel between the outside system to the internal asterisk system behind the firewall.

http://thinkhole.org/wp/2006/05/10/howto-secure-firefox-and-im-with-putty/

If someone has to have external gui access, use ssh to set it up.

JJS

By: Robert Keller

Robert Keller — Tue, 27 Jan 2009 14:48:34 +0000

Ward, excellent article. When XP came out, it was fun for a while to connect a fresh XP box directly to the internet and use a stopwatch to time how long before it became compromised. Usually under a minute.

The same can be said of almost anything you place on the net these days.

I applaud the efforts the PiaF team has made to make the PiaF distro easy to lockdown, use fail2ban and Hamachi VPN.

I have good stories, but this is to say thanks and I am happy to purchase a PiaF Flash if they are available.

cosmicwombat

By: Reginald W

Reginald W — Tue, 27 Jan 2009 13:44:24 +0000

One other thing that I’ve been thinking of is what if you had TWO hardware routers on your network. The first, connected to your main internet pipe would have wifi access to allow any computer to get wireless if needed. The second would be wired ONLY and which would have the PIAF system sitting behind it, thus requiring anyone trying to get in to have to go through two layers of security to get access. Don’t know how well this would work. I thought of doing this for an internal network or even two internal networks to cut down on the amount of traffic on each leg of the network. I don’t know enough about how the router/switches would handle the traffic out to each leg, how different router/switches would interact with each other and whether traffic would bottleneck and make it unworkable. I haven’t had time to set up a wired-only router to test it to see if this is something that would work well.

It should/would cut down on the amount of logs to sort through, as anything that came in through the net that tried to get into the wired only network should be more easily seen and acted upon. The main network would be like a fence around the house whie the second network would be the house itself and thus (theoretically) more secure if the proper security measures are implemented on each network.

For the paranoid, a third network would be like the safe inside the house. Remember to poke holes in the tin foil hat that surrounds the router or it will get too hot and stop working.

By: Reginald W

Reginald W — Tue, 27 Jan 2009 13:33:42 +0000

Thanks for the heads up and training on securing a PIAF system. It is always useful to know these things.

I remember reading about turning OFF Plug N Play in routers as there is ZERO security on it from the users network, so that if a computer was compromised INSIDE the network, it could access the router and open up holes in the router. I have it turned OFF and have told others about turning it OFF as well. Unfortunately it is ON by default on my router. It would be nice if this was OFF by default on all routers, or if the router could be updated with it being OFF instead of being on by default. Hope that helps fill another hole in the wall.

By: Rafael Cortes

Rafael Cortes — Tue, 27 Jan 2009 13:03:21 +0000

One more tip… Update your asterisk regularly…
I had a former client who would not update because he did not want to pay us the $50 we charged to do the security update that was posted after the many asterisk hacked on November, he got a bill for $500 over the usual bill, he called us and bought the maintenance contract.

If you install for other keep a record of your clients and every time there is a security update call your clients, explain the issue and try to make them a deal to update! It give us all a bad name if asterisk gets hacked. Please be responsible.

BTW Great post Ward, security is often overlooked, and is one of the most important parts of any network, let alone a PBX.