Topic: hacked

[edeganay]

Hello,

I've been hacked my pbx through the primary extension (5000), and I just realized this on my invoice. (from middle east)
My first error was to not change the secret of this extension (now it's done), which is used only for voicemail (not supposed to get outside calls)
 but I though that extensions with status "local" as phone location wasn't accessible from outside the network.

some questions :
- what's the main things to do to review and avoid this ?
- how manage which extension can start outgoing calls ?
- Can I trace IP addresses from where the extension has been used (in the past) ?
- Do you see anything else ?

thanks a lot,
This freaks me out !
Edd

[SARK devs]

Our advice is published on our wiki site here

http://sarkpbx.com/twiki/bin/view/Main/AsteriskSec

Please read it carefully.  It answers most of your questions.

Kind Regards
S

[chris burnat]

You have my sympathy, check:
http://forums.contribs.org/index.php?topic=46022.new;topicseen#new
and:
http://forums.contribs.org/index.php?topic=46253.new;topicseen#new

[edeganay]

Thanks guys,

I can only blame myself, I already read these warnings and was sure of my config...
now I am !

no big deal, my sip provider warned me quickly, damages are low$$$

Edd

[edeganay]

one last question,
can I find the remote IP's of logged extensions ? and when connection has been successfull ?

Thanks again,
Edd

[SARK devs]

HI

In asterisk CLI you can do

Code: [Select]

sip show peers
Also, usually, SAIL will tell you the IP of a connected extension in the extensions panel.

Connections (registrations) can be logged if you run asteriks full logging but Digium recommend that you only run full logging when there is a problem you need to diagnose.

Kind Regards

S 

[Franco]

A good article: http://kb.smartvox.co.uk/index.php/asterisk/secure-asterisk-pbx-part-1/

[edeganay]

many thanks all,
I definitely have to  find a warning trigger over repeated errors in the logs (sme7admin might help)

Edd

[SARK devs]

We supply all of our commercial installs with OSSEC Host based intrusion detection as a matter of course.  It works well for us and it will inform you of anomalies it finds via email.  It can also deny access to intruders if they trigger certain thresholds.  WE prefer it to Fail2ban but it is somewhat down to personal preference.

Kind Regards

S 

[chris burnat]

Reposted from another topic:

Count hack attempts (could be a cron job...):

Code: [Select]

grep -r "Wrong password" /var/log/asterisk/messages* | wc -l
Find IP addresses of hackers:

Code: [Select]

grep -r "Wrong password" /var/log/asterisk/messages*  | sed -e 's/  / /g' | cut -f12 -d' ' | sort -u
Find extensions which have been attempted to hack:

Code: [Select]

grep -r "Wrong password" /var/log/asterisk/messages*  | sed -e 's/  / /g' | cut -f8 -d' ' | sort -u

[brick]

We supply all of our commercial installs with OSSEC Host based intrusion detection as a matter of course.  It works well for us and it will inform you of anomalies it finds via email.  It can also deny access to intruders if they trigger certain thresholds.  WE prefer it to Fail2ban but it is somewhat down to personal preference.

Kind Regards

S

How about a little How-to?

[SARK devs]

Code: [Select]

How about a little How-to?
We're absolutely maxed here at the moment so it won't be in the next few days, but to be honest, you just follow the instructions on the OSSEC site.  It pretty much just works.

kind regards

S

[edeganay]

Hello there,

thanks for all your advices, I took some of them in place.

I went further in my search, and found some interesting informations, enough to ask things with proofs.

I got Attackers IP's, I got Time and date of introducing, I miss time and date of calls from these IP's and I can't find this.
I found calls, but not with IP's used by the extension.

Can you help me on this ?

many thanks,
Edd