Did you read: http://blogs.digium.com/2009/03/28/sip-security/
and: http://www.asterisk.org/security/webinar/ as well as the file: build_i586/asterisk-1*/README-SERIOUSLY.bestpractices.txt in your project directory. Also, trunk and 1.8 have an important fix that I finally managed to get in. https://issues.asterisk.org/view.php?id=17040 if you have "allowguest=yes" in sip.conf as I do (needed for ISN calling), then what you do is for your handsets' configurations you explicitly set a context= value, but have: [general] ... context=NOSUCHCONTEXT as the default context. That is, incoming calls from an "guest" association will try to go into an undefined context, which will fail the call. Only calls from explicitly configured peers will have a valid context to execute in. Do *not* use or have a default context. On 9/18/10 5:55 PM, Mark Phillips wrote: > Hi All, > > Well, for the second time in about a month I've been the victim of call > theft to the tune of almost $1000. It would seem that someone is able to > acquire an extension on my AstLinux box and use it to call Somalia for a > few minutes at a time over and over again until I catch it. > > Luckily this time my provider was on the lookout and trapped the theft > after about $250 of calls were made. > > To get to the point, Broadvoice's call log show that I made a good many > calls to a particular number in Somalia but my log does not. Indeed, my > log as viewed via the AstLinux Management web interface shows that the > last call made by one of my users was at around 1030am today. The last > call to Somalia was at 5:48 tonight. > > I have a number of questions all related to SIP security but my biggest > question is "why don't the calls show up in my log?" My provider can > show logs demonstrating that the Somalia calls came from my IP address > and I did spot the odd one or 2 towards the end originating from an > extension within my number plan. > > So back to my SIP questions, I use a combination of hard and softphones > around the house and a softphone on my new Android phone. I occasionally > use a softphone on my laptop remotely via L2TP VPN. > > Each entry in my sip.conf file has this in it; > > deny=0.0.0.0/0.0.0.0 > permit=192.168.201.0/255.255.255.0 > permit=192.168.202.0/255.255.255.0 > > but yet still the hacker/thief was able to get in. > > When I spotted the theft I noted that the thief was using exten 2201 (my > android softphone), the UA as reported by "sip show peer 2201" was > "MySIP" (an app I was never able to get working correctly) but yet my > Android wasn't running the MySIP softphone at the time. > > Could it be that the MySIP app was in fact some sort of Android Trojan? > How well do if at all do the deny/permit parameters in sip.conf work? > How well does the SIP module in AstLinux stand up to brute force attacks > (I'm assuming the thief tried that as well)? > > I'm now so worried about another one of these occurrences that I'm > having to disable SIP access on my monoWall which in turn will impact my > ability to work. > > Ideas?? > > Thanks > > Mark ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
