Koozali.org: home of the SME Server
Obsolete Releases => SME VoIP (Asterisk, SAIL etc) => Topic started by: edeganay on October 18, 2010, 09:31:14 PM
-
Hello,
I've been hacked my pbx through the primary extension (5000), and I just realized this on my invoice. (from middle east)
My first error was to not change the secret of this extension (now it's done), which is used only for voicemail (not supposed to get outside calls)
but I though that extensions with status "local" as phone location wasn't accessible from outside the network.
some questions :
- what's the main things to do to review and avoid this ?
- how manage which extension can start outgoing calls ?
- Can I trace IP addresses from where the extension has been used (in the past) ?
- Do you see anything else ?
thanks a lot,
This freaks me out !
Edd
-
Our advice is published on our wiki site here
http://sarkpbx.com/twiki/bin/view/Main/AsteriskSec
Please read it carefully. It answers most of your questions.
Kind Regards
S
-
You have my sympathy, check:
http://forums.contribs.org/index.php?topic=46022.new;topicseen#new
and:
http://forums.contribs.org/index.php?topic=46253.new;topicseen#new
-
Thanks guys,
I can only blame myself, I already read these warnings and was sure of my config...
now I am !
no big deal, my sip provider warned me quickly, damages are low$$$
Edd
-
one last question,
can I find the remote IP's of logged extensions ? and when connection has been successfull ?
Thanks again,
Edd
-
HI
In asterisk CLI you can do
sip show peers
Also, usually, SAIL will tell you the IP of a connected extension in the extensions panel.
Connections (registrations) can be logged if you run asteriks full logging but Digium recommend that you only run full logging when there is a problem you need to diagnose.
Kind Regards
S
-
A good article: http://kb.smartvox.co.uk/index.php/asterisk/secure-asterisk-pbx-part-1/
-
many thanks all,
I definitely have to find a warning trigger over repeated errors in the logs (sme7admin might help)
Edd
-
We supply all of our commercial installs with OSSEC Host based intrusion detection as a matter of course. It works well for us and it will inform you of anomalies it finds via email. It can also deny access to intruders if they trigger certain thresholds. WE prefer it to Fail2ban but it is somewhat down to personal preference.
Kind Regards
S
-
Reposted from another topic:
Count hack attempts (could be a cron job...):
grep -r "Wrong password" /var/log/asterisk/messages* | wc -l
Find IP addresses of hackers:
grep -r "Wrong password" /var/log/asterisk/messages* | sed -e 's/ / /g' | cut -f12 -d' ' | sort -u
Find extensions which have been attempted to hack:
grep -r "Wrong password" /var/log/asterisk/messages* | sed -e 's/ / /g' | cut -f8 -d' ' | sort -u
-
We supply all of our commercial installs with OSSEC Host based intrusion detection as a matter of course. It works well for us and it will inform you of anomalies it finds via email. It can also deny access to intruders if they trigger certain thresholds. WE prefer it to Fail2ban but it is somewhat down to personal preference.
Kind Regards
S
How about a little How-to? ;)
-
How about a little How-to?
We're absolutely maxed here at the moment so it won't be in the next few days, but to be honest, you just follow the instructions on the OSSEC site. It pretty much just works.
kind regards
S
-
Hello there,
thanks for all your advices, I took some of them in place.
I went further in my search, and found some interesting informations, enough to ask things with proofs.
I got Attackers IP's, I got Time and date of introducing, I miss time and date of calls from these IP's and I can't find this.
I found calls, but not with IP's used by the extension.
Can you help me on this ?
many thanks,
Edd