I had reason to check my Asterisk phone server logs today and noticed some script kiddies have been knocking on its door. Apparently an exploit kit exists that hacks into Asterisk PBXs and allows you to register as a phone on these systems. Way back in 2002 I put some firewall rules in place which allowed fairly wide open access to my Asterisk system. They had been there so long that I never revisited them, but on the other hand I never had much reason to.
I’m not quite sure what the point is as VoIP makes calling any number in the world virtually free, and VoIP-to-VoIP calls are completely free. Where’s the incentive to hack? Heck, back in my day when ten-cents-per-minute long distance was considered a bargain there were plenty of tools and methods to get free calls. Not that I ever tried them, mind you, but I knew a number of people who did (Apple Computer might not exist today if it weren’t for this kind of petty larceny).
Anyhow, here are a few snippets of the Asterisk log file, showing the accesses. The script walks through all the possible extension combinations until it hits on one that provides a different response. Then the script hammers that registration with a brute-force dictionary attack. Note: my IPs/extensions have been changed.
[Feb 16 11:50:16] NOTICE chan_sip.c: Registration from ‘”9997″[sip:email@example.com]‘ failed for ’18.104.22.168′ – No matching peer found
[Feb 16 11:50:16] NOTICE chan_sip.c: Registration from ‘”9998″ [sip:firstname.lastname@example.org]‘ failed for ’22.214.171.124′ – No matching peer found
[Feb 16 11:50:16] NOTICE chan_sip.c: Registration from ‘”9999″[sip:email@example.com]‘ failed for ’126.96.36.199′ – No matching peer found
[Feb 16 11:50:56] NOTICE chan_sip.c: Registration from ‘”4467″[sip:firstname.lastname@example.org]‘ failed for ’188.8.131.52′ – Wrong password
[Feb 16 11:58:04] NOTICE chan_sip.c: Registration from ‘”4467″[sip:email@example.com]‘ failed for ’184.108.40.206′ – Wrong password
Possible means of strengthening Asterisk include:
- Tighter firewall rules (duh), but that also limits the ability to conduct of VoIP-to-VoIP calls. Instead, only certain hosts (my VoIP provider, for instance) are allowed to connect. If all you want your sophisticated VoIP system to do is to emulate 100-year-old phone technology, that’s great, but it severely limits the potential of VoIP.
- Adding a delay after every failed password attempt. This is done on most password systems today to greatly increase the running time of a dictionary attack. As it stands, Asterisk will happily let any dumb schmuck blaze through a dictionary as fast as she pleases.
- Key-based authentication. I believe SIP peers (Asterisk to Asterisk, for instance) can do this but I don’t know if SIP endpoints like phones have this ability yet. With keys, the only registration attempts that succeed are the ones presenting the appropriate cryptographic key.
For now, I’ve closed off my firewall rules and sent the kiddies on their way. I’ve also set dictionary-resistant passwords on all of my SIP devices. Even though this attack was not successful, it’s led me to explore other ways of hardening my Asterisk server.
NOTE TO THE SCRIPT KIDDIES: Thanks for Googling my site! I’ve logged your IP address. Your mom is so kicking you out of the house when she finds out.
Update: It looks like the folks at Digium have been addressing this since 2006.
If this option is enabled, whenever Asterisk rejects an INVITE or REGISTER, it will always reject it with a 401 Unauthorized message instead of letting the caller know whether there was a matching user or peer for their request.