Topic: SIP Hacking/Protection

[compsos]

Someone just sent a couple of links about Asterisk security.
Do we need to do anything with Sail to ensure protection?
http://www.mail-archive.com/asterisk@uc.org/msg07988.html
http://enablesecurity.com/blog/
The 2nd one appears to be promoting a product....?

[Franco]

Do we need to do anything with Sail to ensure protection?

Sail is the interface that makes the config files.
Just like any other service that is accessible on the internet, you need to make sure your passwords are strong enough.

Best,

[compsos]

From what I saw in one of those links the attack was like a call to an extension to find it it exists and then brute guess the extensions password for access.
So should we be using exotic extension passwords etc?

[SARK devs]

OK - phreaking attacks and SAIL

Provided you are using SAIL-2.2.4 or higher then it will automatically generate a strong password for any new extensions you create.  If you choose to override it with a weak password then expect to be phreaked. If you have older extensions that you created before SAIL generated strong passwords and you don't update them, then expect to be phreaked.  Right now, SAIL is the only Asterisk workbench we know that automatically generates strong passwords for you.  Despite the hype, the majority of phreaking attacks that occur at the moment are simple dictionary type attacks.  With strong passwords you should avoid this type of attack.  However, the attackers are gradually getting smarter so you need to careful.   

Provided you run SAIL 2.2.4-33 or 2.4.1-9 or higher, then SAIL will automatically generate ACL checking for new locally attached devices.

There are a lot of other bits and pieces under the covers which SAIL does to help with security and all of these things taken together mean that SAIL helps you much more than any of the other Asterisk workbenches we know. We aren't saying that there aren't any secure trix/mix/brix boxes out there but we don't know any that do it for you in the way that SAIL does. 

Does SAIL make you safe?  No it doesn't, -  nothing does, but right now, it is as good or better than anything else if you don't override what it tries to do for you.

If you are worried then install the latest SAIL release and re-generate all of your old extensions if they don't already have strong passwords.  Look at what SAIL does when it creates a new extension (particularly the ACLs) and replicate that throughout your extensions.

You should also apply ACL checking to your inbound trunks making it more difficult for them to be spoofed.  You may think that this is unnecessary; using the logic "why would anyone spend money on an inbound call to me in order to phreak me?".  Trust us there are scams that work just like that.

Finally, you should make sure that you put strong passwords and ACLs onto any IAX to IAX trunks you have that span the internet.

Kind Regards

S 

[compsos]

Thanks Jeff
My mistake I always thought the extension password and the mailbox password were the same. And users are not keen on lots of different let alone complicated passwords.

My perception was reinforced by http://sarkpbx.com/twiki/bin/view/Main/DocChapter102 which shows the secret set to the extension's number. Is the mailbox password a security issue as well? Thanks

[SARK devs]

No worries..

The mailbox password is initally set the same as the extension number (not the extension password). You can freely change it by touch 0 when ini voicemail and following the instructions.

Thanks for the heads up on the poor reference example in the Wiki -  I'll put a note in to warn people that it is bad practice.

Kind Regards

Jeff