Re: [asterisk-users] Am I cracked?
Zitat von Olivier oza.4...@gmail.com: 2015-06-08 22:35 GMT+02:00 D'Arcy J.M. Cain da...@vex.net: On Mon, 8 Jun 2015 22:24:33 +0200 Luca Bertoncello lucab...@lucabert.de wrote: Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? If you don't know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin. +1 ! I'm very sorry to write that, but these answers are really NOT helpful... I searched two days long how can I check it and didn't found anything useful... Well, since I changed some configuration and use another port I don't have the problem, but I'm not sure if I did all what I need... Could someone suggest me a way to check if my Asterisk is an Open Relay that accept connections from every peer? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Zitat von Keith Sloan kei...@vianet.ca: A J is 100% correct. People hear are very helpful. Though you do not know who is just lurking and can cause some issues for you. I am willing to help, but you may find someone who focuses only on security, and would be a better asset. On 2015-06-10 08:06 AM, A J Stiles wrote: On Wednesday 10 Jun 2015, Luca Bertoncello wrote: I'm very sorry to write that, but these answers are really NOT helpful... I searched two days long how can I check it and didn't found anything useful... Could someone suggest me a way to check if my Asterisk is an Open Relay that accept connections from every peer? Someone on this list is bound to have the wherewithal to be able to do that. All they will need to know is the IP address of your Asterisk server. I suggest that if anyone offers to help you by remotely penetration-testing your system, you post on-list that you'll contact them off-list to give them the server IP. That way, everyone gets to know that a deal has been established, but only the directly-concerned parties have all the necessary information. Well, I'm not sure, that I understood what you and Stiles say... Anyway: if someone in the list can help me in such a penetration test, I'd like to be contacted by him... Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
2015-06-08 22:35 GMT+02:00 D'Arcy J.M. Cain da...@vex.net: On Mon, 8 Jun 2015 22:24:33 +0200 Luca Bertoncello lucab...@lucabert.de wrote: Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? If you don't know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin. +1 ! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Wednesday 10 Jun 2015, Luca Bertoncello wrote: I'm very sorry to write that, but these answers are really NOT helpful... I searched two days long how can I check it and didn't found anything useful... Could someone suggest me a way to check if my Asterisk is an Open Relay that accept connections from every peer? Someone on this list is bound to have the wherewithal to be able to do that. All they will need to know is the IP address of your Asterisk server. I suggest that if anyone offers to help you by remotely penetration-testing your system, you post on-list that you'll contact them off-list to give them the server IP. That way, everyone gets to know that a deal has been established, but only the directly-concerned parties have all the necessary information. -- AJS Note: Originating address only accepts e-mail from list! If replying off- list, change address to asterisk1list at earthshod dot co dot uk . -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
A J is 100% correct. People hear are very helpful. Though you do not know who is just lurking and can cause some issues for you. I am willing to help, but you may find someone who focuses only on security, and would be a better asset. On 2015-06-10 08:06 AM, A J Stiles wrote: On Wednesday 10 Jun 2015, Luca Bertoncello wrote: I'm very sorry to write that, but these answers are really NOT helpful... I searched two days long how can I check it and didn't found anything useful... Could someone suggest me a way to check if my Asterisk is an Open Relay that accept connections from every peer? Someone on this list is bound to have the wherewithal to be able to do that. All they will need to know is the IP address of your Asterisk server. I suggest that if anyone offers to help you by remotely penetration-testing your system, you post on-list that you'll contact them off-list to give them the server IP. That way, everyone gets to know that a deal has been established, but only the directly-concerned parties have all the necessary information. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
For such cases i created a dialplan in the default dialplan which blocks the ip of the hacker with iptables. On Monday, June 8, 2015, Luca Bertoncello lucab...@lucabert.de wrote: Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325@default:1] Verbose(SIP/192.168.20.120-002a, 2,PROXY Call from 0123456 to 000972592603325) in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325@default:2] Set(SIP/192.168.20.120-002a, CHANNEL(musicclass)=default) in new stack -- Executing [000972592603325@default:3] GotoIf(SIP/192.168.20.120-002a, 0?dialluca) in new stack -- Executing [000972592603325@default:4] GotoIf(SIP/192.168.20.120-002a, 0?dialfax) in new stack -- Executing [000972592603325@default:5] GotoIf(SIP/192.168.20.120-002a, 0?dialanika) in new stack -- Executing [000972592603325@default:6] Dial(SIP/192.168.20.120-002a, SIP/pbxluca/000972592603325,,R) in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325@default:7] Hangup(SIP/192.168.20.120-002a, ) in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all guest access. How can I check if my Asterisk allows guest to originate calls? Thanks Luca Bertoncello (lucab...@lucabert.de javascript:;) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Zitat von Dereck D derec...@gmail.com: For such cases i created a dialplan in the default dialplan which blocks the ip of the hacker with iptables. That's interesting... Could you explain me how do you did it? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325@default:1] Verbose(SIP/192.168. 20.120-002a, 2,PROXY Call from 0123456 to 000972592603325) innew stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325@default:2] Set(SIP/192.168.20. 120-002a, CHANNEL(musicclass)=default) in new stack -- Executing [000972592603325@default:3] GotoIf(SIP/192.168.20. 120-002a, 0?dialluca) in new stack -- Executing [000972592603325@default:4] GotoIf(SIP/192.168.20. 120-002a, 0?dialfax) in new stack -- Executing [000972592603325@default:5] GotoIf(SIP/192.168.20. 120-002a, 0?dialanika) in new stack -- Executing [000972592603325@default:6] Dial(SIP/192.168.20. 120-002a, SIP/pbxluca/000972592603325,,R) in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325@default:7] Hangup(SIP/192.168.20. 120-002a, ) in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all guest access. How can I check if my Asterisk allows guest to originate calls? Based on SIP packets coming in from IP addresses you don't recognize, while you may not be hacked, you would seem to have people probing your system. One thing you can do at the firewall level is restrict inbound sip communications to only those from your external phone providers. Depending on their setup, they should be able to give you an IP, a range of IPs or a name that can be used (i.e. sip.myphoneprovider.com). If you restrict your inbound sip to that, it will be very helpful. Also, there are further steps you can take to harden your systems. An internet search will bring up many, but here are a couple of good ones: http://blogs.digium.com/2009/03/28/sip-security/ http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx http://nerdvittles.com/?p=580-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Mon, 8 Jun 2015 13:19:53 -0700 (PDT) Steve Edwards asterisk@sedwards.com wrote: Look for address blocks (class A, B, C) that are allocated to geographic regions you do not have any providers. If you limit your 'attack surface' you make your security problem manageable. Get this file: http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz It has all of those blocks for all countries. I pick that up fresh every week and block specific countries that I don't have clients in but seem to be hitting me hard. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Mon, 8 Jun 2015 22:24:33 +0200 Luca Bertoncello lucab...@lucabert.de wrote: Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? If you don't know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin. Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the This is one of my outbound trunk... Very, very bad then. On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? You need to make sure that only registered phones can connect to your outbound trunks. Read the docs or hire someone but don't wait. Shut down now, especially since this information is now on a public list. I am sure that most people here are just looking out for you but it only takes one black hat. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Mon, 8 Jun 2015, Kevin Larsen wrote: Better to fail and fix than to permit and pay for it later. That would make a great T-shirt: Deny and Fix vs Permit and Pay -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Based on SIP packets coming in from IP addresses you don't recognize, while you may not be hacked, you would seem to have people probing your I think, too, it's someone probing my IP... system. One thing you can do at the firewall level is restrict inbound sip communications to only those from your external phone providers. Depending on their setup, they should be able to give you an IP, a range of IPs or a name that can be used (i.e. sip.myphoneprovider.com). If you restrict your This is not really possible, since I'll login on my Asterisk from many Providers... inbound sip to that, it will be very helpful. Also, there are further steps you can take to harden your systems. An internet search will bring up many, but here are a couple of good ones: http://blogs.digium.com/2009/03/28/sip-security/ http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx http://nerdvittles.com/?p=580 OK, I set alwaysauthreject = yes and I discovered a allowguest, which I set to no, too. The PBX is behind a Firewall and I just allow UDP 5060 and 1-10100. Now I log the SIP-pakets coming from Internet, too... Hopefully I solved my problem... Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Mon, 8 Jun 2015, Luca Bertoncello wrote: This is not really possible, since I'll login on my Asterisk from many Providers... many all So make a list of the 100 or so providers you have active accounts with. It's still way less than 'all.' Also, I'm willing to bet you won't be using providers from China, North Korea, Russia, Iraq, etc, etc, etc. (Sorry if that steps on anybody's toes.) Look for address blocks (class A, B, C) that are allocated to geographic regions you do not have any providers. If you limit your 'attack surface' you make your security problem manageable. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
OK, I set alwaysauthreject = yes and I discovered a allowguest, which I set to no, too. The PBX is behind a Firewall and I just allow UDP 5060 and 1-10100. Now I log the SIP-pakets coming from Internet, too... Hopefully I solved my problem... Make sure you have solved the problem. You don't want to get hit with a phone bill for calls from your location to Israel. Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. The calls are being dumped into your default context. It's not matching on your gotoif statements, so finally it is trying to execute this: Dial(SIP/192.168.20.120-002a, SIP/pbxluca/000972592603325,,R) in new stack Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the outbound dial pattern wrong, which is a sure sign that you are open in the future to having someone make this kind of call in a way that does work and leaves you on the hook. Based on your email address, I am guessing you are in Germany. Looks like they almost have the correct outbound pattern for dialing from Germany to Israel. It should be 00972592603325 (notice the one less zero in the front). Please tell me that pbxluca is not an outbound dialing context? If it is, you need to fix this very quickly.-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
I'm guessing this is a small/home system? I suggest you install SecAst from this site: www.telium.ca It's free for small office / home office and will deal with these types of attacks and more. It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing patterns, etc. If you still have allow guest enabled, then you should also follow the 'securing asterisk' steps from this site: http://www.voip-info.org/wiki/view/Asterisk+security You're definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill.. From: asterisk-users-boun...@lists.digium.com asterisk-users-boun...@lists.digium.com on behalf of Luca Bertoncello lucab...@lucabert.de Sent: Monday, June 8, 2015 3:46 PM To: Asterisk Users List Subject: [asterisk-users] Am I cracked? Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325@default:1] Verbose(SIP/192.168.20.120-002a, 2,PROXY Call from 0123456 to 000972592603325) in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325@default:2] Set(SIP/192.168.20.120-002a, CHANNEL(musicclass)=default) in new stack -- Executing [000972592603325@default:3] GotoIf(SIP/192.168.20.120-002a, 0?dialluca) in new stack -- Executing [000972592603325@default:4] GotoIf(SIP/192.168.20.120-002a, 0?dialfax) in new stack -- Executing [000972592603325@default:5] GotoIf(SIP/192.168.20.120-002a, 0?dialanika) in new stack -- Executing [000972592603325@default:6] Dial(SIP/192.168.20.120-002a, SIP/pbxluca/000972592603325,,R) in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325@default:7] Hangup(SIP/192.168.20.120-002a, ) in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all guest access. How can I check if my Asterisk allows guest to originate calls? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
On Mon, 8 Jun 2015, Michelle Dupuis wrote: You're definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill.. Don't enable 'auto-replenish' in your provider account and don't keep a balance you can't afford to lose. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Make sure you have solved the problem. You don't want to get hit with a phone bill for calls from your location to Israel. Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? The calls are being dumped into your default context. It's not matching on your gotoif statements, so finally it is trying to execute this: Dial(SIP/192.168.20.120-002a, SIP/pbxluca/000972592603325,,R) in new stack Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the This is one of my outbound trunk... outbound dial pattern wrong, which is a sure sign that you are open in the future to having someone make this kind of call in a way that does work and leaves you on the hook. Based on your email address, I am guessing you are in Germany. Looks like they almost have the correct outbound pattern for dialing from Germany to Israel. It should be 00972592603325 (notice the one less zero in the front). Please tell me that pbxluca is not an outbound dialing context? If it is, you need to fix this very quickly. How can I fix it? Of course, I need to be able to call any phone on this world... On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? I am sure others can chime in, but first things first, you want inbound calls and outbound calls to be in different contexts. Don't let your default context reach an outbound line. Your registered phones will be in a context that can call out which should be different from the default. Also, make sure that your phones are registering with passwords (secret) that are different than the extension number. Makes it harder to guess. The big thing to keep in mind dialplan wise is to never let an inbound call have a path to loop back outbound. The two of the biggest vectors for fraud will be allowing a non-authenticated sip call to get outbound over your trunks and to have weak credentials that can be cracked that will let someone else impersonate your phones. And you can still wipe out most fraud by restricting the IP addresses you let in from the outside world. I prefer to have the most restrictive communications I can and then fix it if I discover that something doesn't work. Better to fail and fix than to permit and pay for it later. The providers I tend to like best not only give me what I need to restrict to their IP ranges, but also put in place restrictions on their end to only talk to my account from my external static IP address. That way someone could figure out my credentials, but if they can't spoof my ip address it still won't work. That is dependent on what the provider can do though.-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Make sure you have solved the problem. You don't want to get hit with a phone bill for calls from your location to Israel. Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? The calls are being dumped into your default context. It's not matching on your gotoif statements, so finally it is trying to execute this: Dial(SIP/192.168.20.120-002a, SIP/pbxluca/000972592603325,,R) in new stack Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the This is one of my outbound trunk... outbound dial pattern wrong, which is a sure sign that you are open in the future to having someone make this kind of call in a way that does work and leaves you on the hook. Based on your email address, I am guessing you are in Germany. Looks like they almost have the correct outbound pattern for dialing from Germany to Israel. It should be 00972592603325 (notice the one less zero in the front). Please tell me that pbxluca is not an outbound dialing context? If it is, you need to fix this very quickly. How can I fix it? Of course, I need to be able to call any phone on this world... On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? Thanks Luca Bertoncello (lucab...@lucabert.de) -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Am I cracked?
As a practice, by default all the extensions you expose on the allowguest mode should lead inbound to your asterisk and should never pick any outbound trunk and dial out. Your best option is to remove all outbound extensions from the default context, move them to default2 and set default extensions as honeypot to play monkeys tts wave file or reject the call. Mitul Limbani On 09-Jun-2015 2:05 AM, D'Arcy J.M. Cain da...@vex.net wrote: On Mon, 8 Jun 2015 22:24:33 +0200 Luca Bertoncello lucab...@lucabert.de wrote: Kevin Larsen kevin.lar...@pioneerballoon.com schrieb: Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don't want to pay for these calls. Of course, but how can I test, if I am an open relay? If you don't know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin. Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the This is one of my outbound trunk... Very, very bad then. On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? You need to make sure that only registered phones can connect to your outbound trunks. Read the docs or hire someone but don't wait. Shut down now, especially since this information is now on a public list. I am sure that most people here are just looking out for you but it only takes one black hat. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:da...@vex.net VoIP: sip:da...@vex.net -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users