Re: [asterisk-users] Security - What inbound variables can attackers populate or use when calling?
Use fail2ban. Also, read some of the security advisories from earlier
this year about being sure to always use a FILTER statement whenever you're
dialing using a variable (most notably ${EXTEN}).
http://downloads.asterisk.org/pub/security/AST-2010-002.html
Thanks Warren!!
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Warren Selby
Sent: Saturday, August 07, 2010 1:35 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Security - What inbound variables can
attackers populate or use when calling?
On Fri, Aug 6, 2010 at 10:53 PM, jwex...@mail.usa.com wrote:
Someone from Amsterdam was trying to register yesterday using an automated
program which tried roughly 1,000 or so username password combinations
before I shut asterisk down and added his/her ip to iptables to drop it. I
wonder if I can configure the system to automatically detect such an attack
in progress (e.g., a 1,000+ registration failures from the same ip is an
'attack') and the ip's to iptables, hosts.deny, etc. on the fly. That might
be another topic I guess?
Use fail2ban. Also, read some of the security advisories from earlier this
year about being sure to always use a FILTER statement whenever you're
dialing using a variable (most notably ${EXTEN}).
http://downloads.asterisk.org/pub/security/AST-2010-002.html
--
Thanks,
--Warren Selby
http://www.selbytech.com
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Security - What inbound variables can attackers populate or use when calling?
I am setting filters, etc. on variables that attackers can send asterisk when they call (for example when they initially call into asterisk). So far, I am filtering: exten CALLERID(name) CALLERID(num) What other fields or variables would an attacker be able to use in the packets that they send when placing the call to asterisk? Further, I am assuming that in the case that an attacker, first, simply dials in normally and then after reaching voice prompts or other, starts his/her attack, then all I need to filter in that case is exten. Anything else here as well? Thanks!! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How does deny/permit work in sip.conf?
This works. I have tested with the following settings: In regards to the specifics of your question: In sip.conf: dynamic_exclude_static=yes In users.conf, for each user (changing the permit statement to the ip of each user): hassip=yes host=dynamic registersip=yes deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 (using your ip setting) Hope that helps -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Frank Church Sent: Friday, August 06, 2010 11:46 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] How does deny/permit work in sip.conf? I have been seeing some attempts to register devices on my Asterisk and I want to reconfigure it so that devices will be registered only if they are from the correct address, ie 192.168.1.8/255.255.255.255. I thought using a config like deny=0.0.0.0/0.0.0.0 permit=192.168.1.8/255.255.255.255 but it is not working the way I thought? Does that need a host=static.ip entry to work, rather than the deny/permit option? Does using a host=dynamic setting override any deny/permit and port=5060 options? Does being a peer or a user make a difference here? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Security - What inbound variables can attackers populate or use when calling?
Well, I'm not sure actually. I was attacked in June by someone who racked up between $800 and $900 in international calls to places in the middle of Africa, Korea, etc. So, I am motivated to secure this. I have made it much much more secure, definitely, but am looking for as many ways to further lock this down as possible. I figure that I should filter every field that someone could possible interact with Asterisk in case they send characters that might breach security and allow them some kind of access. Symbols like the amperstand (), comma (,), forward slash (/), at (@), pipe (|), etc. I would guess could be bad. Someone from Amsterdam was trying to register yesterday using an automated program which tried roughly 1,000 or so username password combinations before I shut asterisk down and added his/her ip to iptables to drop it. I wonder if I can configure the system to automatically detect such an attack in progress (e.g., a 1,000+ registration failures from the same ip is an 'attack') and the ip's to iptables, hosts.deny, etc. on the fly. That might be another topic I guess? This experience has emphasized the importance of securing the system and security in asterisk in general. Any insight on this would be really appreciated! Thanks!! From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of mike mosier Sent: Saturday, August 07, 2010 11:52 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Security - What inbound variables can attackers populate or use when calling? What kind of attack can they reform calling in? On Aug 6, 2010 1:12 AM, jwex...@mail.usa.com wrote: I am setting filters, etc. on variables that attackers can send asterisk when they call (for example when they initially call into asterisk). So far, I am filtering: exten CALLERID(name) CALLERID(num) What other fields or variables would an attacker be able to use in the packets that they send when placing the call to asterisk? Further, I am assuming that in the case that an attacker, first, simply dials in normally and then after reaching voice prompts or other, starts his/her attack, then all I need to filter in that case is exten. Anything else here as well? Thanks!! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] callerid between 2 asterisk servers
I've got 2 asterisk servers on the same box: ubuntu 10.04 lucid. I have not
been able to send useful callerid info between them (callerid becomes
serverB).
serverA register statement: (serverB has the exact opposite statement)
register = serverA:serverapassw...@ip_of_serverb_nic/serverB
users.conf of serverA: users.conf of serverB:
[serverB] [serverA]
type=friend type=friend
fromuser=serverBfromuser=serverA
secret=serverBpassword secret=serverApassword
host=dynamichost=dynamic
etc.etc.
[serverA] [serverB]
type=user type=user
secret=serverApassword secret=serverBpassword
context=serverA_incomingcontext=serverB_incoming
host=dynamichost=dynamic
etc.etc.
serverA extensions.conf:
exten = _8X.,n,Dial(SIP/serverB/${EXTEN},20,r)
With this set up, when I dial from an extension such as 6000 on serverA to
an extension such as 8000 on serverB, instead of sending the callerid info
of 6000 it sends serverB. I cannot seem to find a way around this.
Anyone know of a way to send the 6000 callerid info? Somehow via sending a
user-defined field via the dial statement?
If not via the dial, then a way to transfer via writing to the file system?
Is there a way to use, in extensions.conf, some kind of info transferred
between serverA and serverB such as the tag id so that I can specify a
filename for them to write/read? I cannot seam to find something that each
server sees which I can dynamically read in and use in extensions.conf.
Thanks!!
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] callerid between 2 asterisk servers
Thanks Oliver.
I tried those approaches but they did not work.
However, I just found a workaround finally. The SIPAddHeader and SIP_HEADER
functions enabled me to get the callerid working.
Thanks again!!
From: asterisk-users-boun...@lists.digium.com
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of
unsero...@aol.com
Sent: Wednesday, August 04, 2010 8:53 PM
To: asterisk-users@lists.digium.com
Subject: Re: [asterisk-users] callerid between 2 asterisk servers
I've got 2 asterisk servers on the same box: ubuntu 10.04 lucid. I have not
been able to send useful callerid info between them (callerid becomes
serverB).
serverA register statement: (serverB has the exact opposite statement)
register = serverA:serverapassw...@ip_of_serverb_nic/serverB
users.conf of serverA: users.conf of serverB:
[serverB] [serverA]
type=friend type=friend
fromuser=serverBfromuser=serverA
secret=serverBpassword secret=serverApassword
host=dynamichost=dynamic
etc.etc.
[serverA] [serverB]
type=user type=user
secret=serverApassword secret=serverBpassword
context=serverA_incomingcontext=serverB_incoming
host=dynamichost=dynamic
etc.etc.
serverA extensions.conf:
exten = _8X.,n,Dial(SIP/serverB/${EXTEN},20,r)
With this set up, when I dial from an extension such as 6000 on serverA to
an extension such as 8000 on serverB, instead of sending the callerid info
of 6000 it sends serverB. I cannot seem to find a way around this.
Anyone know of a way to send the 6000 callerid info? Somehow via sending a
user-defined field via the dial statement?
If not via the dial, then a way to transfer via writing to the file system?
Is there a way to use, in extensions.conf, some kind of info transferred
between serverA and serverB such as the tag id so that I can specify a
filename for them to write/read? I cannot seam to find something that each
server sees which I can dynamically read in and use in extensions.conf.
Thanks!!
--
Try uncommenting fromuser on both boxes.
Or did you set callerid in your users.conf when you write etc.? If so,
also uncomment it.
Oliver
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Registering 2 phone numbers to same router
That helped. I can now register both. Looks like I need to forward all traffic from the second asterisk instance to the main one for all the users to successfully register and talk to each other. Is forwarding all traffic from one instance to the main one possible? How can I do that? Thanks JW -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Kyle Kienapfel Sent: Friday, July 30, 2010 9:31 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Registering 2 phone numbers to same router On Thu, Jul 29, 2010 at 4:05 PM, jwexler jwex...@mail.usa.com wrote: On Thu, Jul 29, 2010 at 10:15 PM, Paul Belanger wrote: MAC Address? Are you sure? Why would your ISP care about level 2? I could understand IP address (level 3). If this is the case, you will need to spoof your MAC. Actually, it is mind boggling that the isp even cares about restricting phone registrations per device which is apparently what they are trying to do. Without a work around, I would need to have 3 separate machines just to register the three phone numbers. That would be a real mess. On their ip phone settings page, there is a column labeled mac address. They do not display the mac addresses that they populate there but they do restrictions by info received on the nic from which the registration was sent. Unfortunately, simply spoofing the mac address would be insufficient because there is no way to specify which nic to use in the 2 register statements in sip.conf. I have not been able to use iptables or ip route to make up an additional address to the router that asterisk can use successfully. I can do so such that firefox can access, login to, and update the router but not asterisk for some strange reason. The router is at 192.168.40.1. I set up 192.168.40.3 as a new ip that just routes to 192.168.40.1 which firefox is happy with. Asterisk chokes. Maybe because of the rt200ne patch? Link is in Japanese but it patches sip.c so that I can register with the router: http://voip-info.jp/index.php/RT-200NE%E5%AF%BE%E5%BF%9C%E3%83%91%E3%83%83%E 3%83%81 Or some other cause? Suggestions on some kind of workaround be really appreciated? I hope some day, Asterisk will provide the option to specify registrations by nic interface. Thanks JW So asterisk registers with the router that your isp gave you? I'd try multiple asterisks with the same ip address, just different ports for SIP and RTP. Are you sure its limited by mac address? a quicker test to probe for that would be to use two softphones on the same computer, one for each sip accounts -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Registering 2 phone numbers to same router
Folks, My isp's router limits registrations to only 1 phone number per interface (i.e., by MAC Address). I am struggling to get around this limitation. In sip.conf, I have: rt200ne=192.168.40.1 register = 3:password:usern...@192.168.40.1/phone1 register = 4:password:usern...@192.168.40.1/phone2 (where phone1 and phone2 are the phone numbers that I am trying to register). The router will only allow one of them to register. Server is ubuntu 10.04 and Asterisk is 1.4.33.1 I have tried using iptables, ip route and route -n none of which work. I can access the router via http and a nat ip such as 192.168.40.3 but cannot register via that due to some peculiarity with the asterisk register and/or the rt200ne statements. What other workarounds should I try? Should I try to run another Asterisk process for registering the 2nd phone number and forward to the main asterisk? Seems like there are restrictions for running more than one instance of Asterisk. If that is the most viable workaround, how would I do that? I would greatly appreciate any help on this. Thanks -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Registering 2 phone numbers to same router
On Thu, Jul 29, 2010 at 10:15 PM, Paul Belanger wrote: MAC Address? Are you sure? Why would your ISP care about level 2? I could understand IP address (level 3). If this is the case, you will need to spoof your MAC. Actually, it is mind boggling that the isp even cares about restricting phone registrations per device which is apparently what they are trying to do. Without a work around, I would need to have 3 separate machines just to register the three phone numbers. That would be a real mess. On their ip phone settings page, there is a column labeled mac address. They do not display the mac addresses that they populate there but they do restrictions by info received on the nic from which the registration was sent. Unfortunately, simply spoofing the mac address would be insufficient because there is no way to specify which nic to use in the 2 register statements in sip.conf. I have not been able to use iptables or ip route to make up an additional address to the router that asterisk can use successfully. I can do so such that firefox can access, login to, and update the router but not asterisk for some strange reason. The router is at 192.168.40.1. I set up 192.168.40.3 as a new ip that just routes to 192.168.40.1 which firefox is happy with. Asterisk chokes. Maybe because of the rt200ne patch? Link is in Japanese but it patches sip.c so that I can register with the router: http://voip-info.jp/index.php/RT-200NE%E5%AF%BE%E5%BF%9C%E3%83%91%E3%83%83%E 3%83%81 Or some other cause? Suggestions on some kind of workaround be really appreciated? I hope some day, Asterisk will provide the option to specify registrations by nic interface. Thanks JW -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
