asterisk users - Jul 2011 - My Asterisk Box was hacked

Hi List,

My asterisk box was hacked! Can anyone help on how do I secure my 
asterisk box, currently my box is installed with 2 NIC. 1st NIC is for 
LAN access and 2nd NIC has a public IP which is registered to our VoIP 
Provider.

As I remember I already tried putting our Box on NAT but unfortunately 
due to some issue like call is dropped after 30 seconds and sometimes 
voice are not heard. Then we disable again the NAT.

Your advise will be much appreciated. Thanks in advance.

Regards,
Malvin

Hello!

First of all, you should disable unused VoIP protocols. Than remove all 
guest accounts from used protocols, disable guest unauth access.
Always use strong passwords for accounts, for users on your system. 
Passwords shouldn't be eq username. Move port binds on LAN network for 
all active services as much as you can (i.e. SHH should be on WAN too I 
think).
Use iptables for blocking password bruteforce. Try to install fail2ban 
with jails for asterisk, ssh, HTTP and other public services. Then you 
can try to install PSAD (port scan autodetect) to prevent attacks.
And never use default context in asterisk for word calls directions.
And you should always keep your software up to date. There much more 
security issues than you think.

Good Luck!

On 21.07.2011 09:29, Malvin Rito wrote:
> Hi List,
>
> My asterisk box was hacked! Can anyone help on how do I secure my 
> asterisk box, currently my box is installed with 2 NIC. 1st NIC is for 
> LAN access and 2nd NIC has a public IP which is registered to our VoIP 
> Provider.
>
> As I remember I already tried putting our Box on NAT but unfortunately 
> due to some issue like call is dropped after 30 seconds and sometimes 
> voice are not heard. Then we disable again the NAT.
>
> Your advise will be much appreciated. Thanks in advance.
>
> Regards,
> Malvin
>
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>

> On 21.07.2011 09:29, Malvin Rito wrote:
>> My asterisk box was hacked!
On Thu, 21 Jul 2011, ??????? ????? wrote:
> First of all, you should disable unused VoIP protocols.
Once a box has been hacked you cannot trust anything.

Disconnect the box from the network, save whatever DATA ONLY you cannot 
live without, DBAN the disk and start over.

Before you re-install the OS, read up on what you should have done the 
first time.

-- 
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000

Really, since you sound like a novice in the Asterisk world, maybe
rolling your own solution isn't a good idea.  Why not use an all-in-one
solution like PBX in a Flash?  

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Malvin
Rito
Sent: Thursday, July 21, 2011 1:29 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] My Asterisk Box was hacked

Hi List,

My asterisk box was hacked! Can anyone help on how do I secure my 
asterisk box, currently my box is installed with 2 NIC. 1st NIC is for 
LAN access and 2nd NIC has a public IP which is registered to our VoIP 
Provider.

As I remember I already tried putting our Box on NAT but unfortunately 
due to some issue like call is dropped after 30 seconds and sometimes 
voice are not heard. Then we disable again the NAT.

Your advise will be much appreciated. Thanks in advance.

Regards,
Malvin

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

On Thu, 21 Jul 2011 13:29:09 +0800
Malvin Rito <mrito at mail.altcladding.com.ph> wrote:
> My asterisk box was hacked! Can anyone help on how do I secure my 
> asterisk box, currently my box is installed with 2 NIC. 1st NIC is
> for LAN access and 2nd NIC has a public IP which is registered to our
> VoIP Provider.

Seven Steps to Better SIP Security with Asterisk
http://blogs.digium.com/2009/03/28/sip-security/

When I get hacked I typically run a rootkit checker
http://www.chkrootkit.org/

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Chad Wallace
Sent: Thursday, July 21, 2011 2:18 PM
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] My Asterisk Box was hacked

On Thu, 21 Jul 2011 13:29:09 +0800
Malvin Rito <mrito at mail.altcladding.com.ph> wrote:
> My asterisk box was hacked! Can anyone help on how do I secure my 
> asterisk box, currently my box is installed with 2 NIC. 1st NIC is
> for LAN access and 2nd NIC has a public IP which is registered to our
> VoIP Provider.

Seven Steps to Better SIP Security with Asterisk
http://blogs.digium.com/2009/03/28/sip-security/


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Are you sure your box was actually hacked? Or did someone take
advantage of a configuration error?