Administrator TOOTAI wrote:
> Olle E. Johansson a écrit :
>> 27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:
>>
>>
>>> Hi,
>>>
>>> we had an attack on a server and we don't understand how it was
>>> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL,
>>> network 188.161.128.0/18
>>>
>>> Hacked account had following setup:
>>>
>>> [111]
>>> type=friend
>>> username=111
>>> context=from-111
>>> host=11.22.33.44
>>> dtmfmode=auto
>>> qualify=yes
>>> nat=yes
>>> canreinvite=no
>>> defaultip=11.22.33.44
>>> port=35060
>>> disallow=all
>>> allow=ulaw,alaw
>>> call-limit=2
>>>
>>> Despite this, I saw in my logs that someone hacked this account and
>>> could place calls! in logs we have:
>>>
>>> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to
>>> register, but not configured as host=dynamic
>>> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from
>>> '<sip:1...@ourasteriskip>' failed for '188.161.152.245' - Peer is not
>>> supposed to register
>>> [Jan 27 04:00:18] VERBOSE[30669] logger.c: -- Executing
>>> [972599400...@from-111:1] NoOp("SIP/111-000016eb", "Incoming call from
>>> AAAA") in new stack
>>>
>>> As you see 111 could place a call even having not registered, which he
>>> is not supposed to do.
>>>
>>> How is this possible?
>>>
>> [...]
>>
>> type=friend creates two objects in your asterisk server, one peer and one
>> user. Asterisk primarily match the user objects for incoming calls on the
>> From: username. In this case, you have 111 as the username (regardless of
>> the "username" field which is not the username btw). You have no secret
>> defined, so anyone placing a call from a URI that has 111 as the username
>> part will be able to use your server. Calling from sip:1...@asterisk.org as
>> well as sip:1...@mydomain.com will work without authentication - from any IP
>> address out there. Very poor security indeed.
>>
>> 1) Add a secret.
>> 2) Add ACL rules (permit/deny) to restrict IP address access
>> 3) Change to type=peer and we'll only match on IP for incoming calls. I
>> still recommend using authentication.
>>
> So the fact that host is setted to an IP doesn't matter in case of
> type=friend. Didn't notice that, thanks for the explanation.
>> [..] Make sure you read this and act upon it!
>>
This conversation brings to mind two possible ways we could improve
Asterisk to help users from falling into this trap:
1) When a sip.conf entry is defined as 'type=friend' *and* has a
specific host IP address (not dynamic), we could just ignore the 'user'
part and create only the 'peer' part. This would result in incoming
calls being matched by IP address instead of username, which is likely
what the administrator wants anyway.
2) Alternatively, if people really do want both the 'user' and 'peer'
objects to exist, then we could automatically put an ACL on the 'user'
object that restricts access to it to only the defined IP address.
This also could apply to dynamic hosts, but only those that are defined
without a secret (no authentication required), which seems like a
terrible configuration and we don't really need to do anything to make
it work 'better' :-)
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpflem...@digium.com
Check us out at www.digium.com & www.asterisk.org
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
