in Asterisk, Meddling

Asterisk hacking

I had reason to check my Asterisk phone server logs today and noticed some script kiddies have been knocking on its door. Apparently an exploit kit exists that hacks into Asterisk PBXs and allows you to register as a phone on these systems. Way back in 2002 I put some firewall rules in place which allowed fairly wide open access to my Asterisk system. They had been there so long that I never revisited them, but on the other hand I never had much reason to.

I’m not quite sure what the point is as VoIP makes calling any number in the world virtually free, and VoIP-to-VoIP calls are completely free. Where’s the incentive to hack? Heck, back in my day when ten-cents-per-minute long distance was considered a bargain there were plenty of tools and methods to get free calls. Not that I ever tried them, mind you, but I knew a number of people who did (Apple Computer might not exist today if it weren’t for this kind of petty larceny).

Anyhow, here are a few snippets of the Asterisk log file, showing the accesses. The script walks through all the possible extension combinations until it hits on one that provides a different response. Then the script hammers that registration with a brute-force dictionary attack. Note: my IPs/extensions have been changed.

[Feb 16 11:50:16] NOTICE[23217] chan_sip.c: Registration from ‘”9997″[sip:9997@24.0.0.1]’ failed for ‘194.45.186.252’ – No matching peer found
[Feb 16 11:50:16] NOTICE[23217] chan_sip.c: Registration from ‘”9998″ [sip:9998@24.0.0.1]’ failed for ‘194.45.186.252’ – No matching peer found
[Feb 16 11:50:16] NOTICE[23217] chan_sip.c: Registration from ‘”9999″[sip:9999@24.0.0.1]’ failed for ‘194.45.186.252’ – No matching peer found
[Feb 16 11:50:56] NOTICE[23217] chan_sip.c: Registration from ‘”4467″[sip:4467@24.0.0.1]’ failed for ‘194.45.186.252’ – Wrong password
[Feb 16 11:58:04] NOTICE[23217] chan_sip.c: Registration from ‘”4467″[sip:4467@24.0.0.1]’ failed for ‘194.45.186.252’ – Wrong password
[…]

Possible means of strengthening Asterisk include:

  • Tighter firewall rules (duh), but that also limits the ability to conduct of VoIP-to-VoIP calls. Instead, only certain hosts (my VoIP provider, for instance) are allowed to connect. If all you want your sophisticated VoIP system to do is to emulate 100-year-old phone technology, that’s great, but it severely limits the potential of VoIP.
  • Adding a delay after every failed password attempt. This is done on most password systems today to greatly increase the running time of a dictionary attack. As it stands, Asterisk will happily let any dumb schmuck blaze through a dictionary as fast as she pleases.
  • Key-based authentication. I believe SIP peers (Asterisk to Asterisk, for instance) can do this but I don’t know if SIP endpoints like phones have this ability yet. With keys, the only registration attempts that succeed are the ones presenting the appropriate cryptographic key.

For now, I’ve closed off my firewall rules and sent the kiddies on their way. I’ve also set dictionary-resistant passwords on all of my SIP devices. Even though this attack was not successful, it’s led me to explore other ways of hardening my Asterisk server.

NOTE TO THE SCRIPT KIDDIES: Thanks for Googling my site! I’ve logged your IP address. Your mom is so kicking you out of the house when she finds out.

Update: It looks like the folks at Digium have been addressing this since 2006.

Update 2, 24 Feb: According to this page (and the update above), setting this option in sip.conf will solve the problem by not allowing any information leak when a hacker hits upon a valid username:

alwaysauthreject

If this option is enabled, whenever Asterisk rejects an INVITE or REGISTER, it will always reject it with a 401 Unauthorized message instead of letting the caller know whether there was a matching user or peer for their request.

alwaysauthreject=no|yes

  1. I had this happen at work and at home. Fail2Ban, the ssh brute-force mitigation program can be set up to do the same for asterisk

    (http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk)

    I set this up at both places and i started getting notifications about blocked IPs within the week.

    There’s also a “permit” setting in sip.conf for the extension so you can set what network/mask is allowed to use the extension. I have mine locked down to my internal LAN ip range so someone from china gets denied based on them not being a 192.168.x.x addy.

    Both have been very helpful.

    Good luck. 🙂

Comments are closed.