In the past little while, we've seen a wave of attacks on asterisk, via the provisioning.
It goes something like this: A. scan for IP phones on the internet, either via spotting something on port 5060, or via the port 80 web interface for the phone. Or, use web sites that scan the internet, and classify the machines, to make your work shorter. B. Once you get into the web GUI, get the URL for provisioning. I haven't checked yet... do any phones actually allow you to set this, or do any display the current value? And, finally, how many phones publish their own MAC address in the GUI? Or, can you suck this out of the returned IP packets? C. Given the URL and the mac, fetch the phones provisioning info, including it's sip account info. Use to best advantage. D. Going further, set up a brute-force probe algorithm, to probe all possible mac addresses for a given phone manufacturer, via http requests. After all, those provisioning web servers are fast and efficient, aren't they? Collect all possible mac addresses and grab the provisioning, and now you have a LOT of sip accounts. Use to best advantage. And, professional hacking organizations seem to also follow these rules: a. wait several months for any history of the above activities to roll off the log files. Treat your phone systems like fine wine vintage. b. Use multiple (hundreds/thousands) of machines scattered over the earth to carry out the above probes, and also to use the accounts for generating international calls. In general, using the SIP account info gleaned from these kinds of efforts is a bit problematic. You see, to effectively use your phone system to place calls, they will have to set up their own phone system to act like a phone, and register to the phone system, and then initiate calls. Trouble is, your phone is usually already registered, but can be "bumped off". Your phone will re-register at intervals and bump the hackers, who will again register and bump your phone. This little game of "king of the hill" may show up in your Asterisk logs. So, these defenses can be employed to stop/ameliorate such hacking efforts: 1. Keep your phones behind a firewall. Travellers, beware! Never leave the default login info of the phone at default! 2. Never use the default provisioning URL for the phone, with it's default URL or password. 3. Use fail2ban, ossec, whatever to stymie any brute force mac address searches. 4. Use your firewalls to restrict IP's that can access web, ftp, etc, for provisioning to just those IP's needed to allow your phones to provision. 5. Keep your logs for a couple years. 6. Change your phone SIP acct passwords now, if you haven't implemented the above precautions yet. If I missed a previous post on this, forgive me. Just thought you-all might appreciate a heads-up. murf -- Steve Murphy ParseTree Corporation 57 Lane 17 Cody, WY 82414 ✉ murf at parsetree dot com ☎ 307-899-5535
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users