asterisk users - Jan 2010 - Unregistred users can pass calls, peer being static

Hi,

we had an attack on a server and we don't understand how it was 
possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
network 188.161.128.0/18

Hacked account had following setup:

[111]
type=friend
username=111
context=from-111
host=11.22.33.44
dtmfmode=auto
qualify=yes
nat=yes
canreinvite=no
defaultip=11.22.33.44
port=35060
disallow=all
allow=ulaw,alaw
call-limit=2

Despite this, I saw in my logs that someone hacked this account and 
could place calls! in logs we have:

[Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
register, but not configured as host=dynamic
[Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
'<sip:111 at ourAsteriskIP>' failed for '188.161.152.245'
- Peer is not
supposed to register
[Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
[972599400749 at from-111:1] NoOp("SIP/111-000016eb", "Incoming
call from
AAAA") in new stack

As you see 111 could place a call even having not registered, which he 
is not supposed to do.

How is this possible?

-- 
Daniel

On Wed, 2010-01-27 at 11:47 +0100, Administrator TOOTAI
wrote:
> Hi,
> 
> we had an attack on a server and we don't understand how it was 
> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
> network 188.161.128.0/18
> 
> Hacked account had following setup:
> 
> [111]
> type=friend
> username=111
> context=from-111
> host=11.22.33.44
> dtmfmode=auto
> qualify=yes
> nat=yes
> canreinvite=no
> defaultip=11.22.33.44
> port=35060
> disallow=all
> allow=ulaw,alaw
> call-limit=2
> 
> Despite this, I saw in my logs that someone hacked this account and 
> could place calls! in logs we have:
> 
> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
> register, but not configured as host=dynamic
> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
> '<sip:111 at ourAsteriskIP>' failed for
'188.161.152.245' - Peer is not
> supposed to register
> [Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
> [972599400749 at from-111:1] NoOp("SIP/111-000016eb",
"Incoming call from
> AAAA") in new stack
> 
> As you see 111 could place a call even having not registered, which he 
> is not supposed to do.
> 
> How is this possible?
> 
> -- 
> Daniel
> 
Check your sip.conf
allowguest=no


-- 
Best regards, Vince Mallow
xmpp: wins at jabber.slan.ru 
web: http://gentoo-way.blogspot.com

27 jan 2010 kl. 11.47 skrev Administrator TOOTAI:
> Hi,
> 
> we had an attack on a server and we don't understand how it was 
> possible, Asterisk 1.4.28/Debian Lenny 5.1 Attacker came from PALTEL, 
> network 188.161.128.0/18
> 
> Hacked account had following setup:
> 
> [111]
> type=friend
> username=111
> context=from-111
> host=11.22.33.44
> dtmfmode=auto
> qualify=yes
> nat=yes
> canreinvite=no
> defaultip=11.22.33.44
> port=35060
> disallow=all
> allow=ulaw,alaw
> call-limit=2
> 
> Despite this, I saw in my logs that someone hacked this account and 
> could place calls! in logs we have:
> 
> [Jan 27 04:00:13] ERROR[29715] chan_sip.c: Peer '111' is trying to 
> register, but not configured as host=dynamic
> [Jan 27 04:00:13] NOTICE[29715] chan_sip.c: Registration from 
> '<sip:111 at ourAsteriskIP>' failed for
'188.161.152.245' - Peer is not
> supposed to register
> [Jan 27 04:00:18] VERBOSE[30669] logger.c:     -- Executing 
> [972599400749 at from-111:1] NoOp("SIP/111-000016eb",
"Incoming call from
> AAAA") in new stack
> 
> As you see 111 could place a call even having not registered, which he 
> is not supposed to do.
> 
> How is this possible?
Registration is a mechanism to tell the server where a phone can be reached when
the phone wants to call it, thus registrations are only required for outbound
calls. Inbound calls are not affected by registrations.

type=friend creates two objects in your asterisk server, one peer and one user.
Asterisk primarily match the user objects for incoming calls on the From:
username. In this case, you have 111 as the username (regardless of the
"username" field which is not the username btw). You have no secret
defined, so anyone placing a call from a URI that has 111 as the username part
will be able to use your server. Calling from sip:111 at asterisk.org as well as
sip:111 at mydomain.com will work without authentication - from any IP address
out there. Very poor security indeed.

1) Add a secret.
2) Add ACL rules (permit/deny) to restrict IP address access
3) Change to type=peer and we'll only match on IP for incoming calls. I
still recommend using authentication.

There has been a lot of information about how to secure your Asterisk on
asterisk.org, this mailing list and in other forums. Make sure you read this and
act upon it!

Regards,
/Olle

wins mallow a ?crit :
> On Wed, 2010-01-27 at 11:47 +0100, Administrator TOOTAI wrote:
>   
>> [...]
>>     
> Check your sip.conf
> allowguest=no
>
>   
Guest are allowed and going to a different context. Logs are showing 
that calls are going out to the from-111 context, so its this account 
which was hacked.

Thanks for your answer.
-- 
Daniel