vicidial.org

One of our VOIP providers, Xcast, authenticates by IP only.

In their welcome note they say:

Our security team recently ran a SIP scanning application against our customer accounts and found that
many of them do not block SIP messages from unknown IP addresses. We also found that many of the
systems were wide open and would relay calls from ANY SIP device

Do you think this applies to a default ViciBox install?

I understand the part about allowing connections to 5060 from anyone but do you think ViciBox will relay calls from any device by default?

ViciBox comes fully password protected right? Though the default password is "test" it's still a password.

I'm no guru on this subject matter but am investigating and very much appreciate others thoughts on this.

Thank you.

Vicidial is not an open sip danger, but it can be hacked. Since it is not a public system (you do not need to accept connections from random public!) it is best to whitelist-lock your "iptables" firewall. This will not only secure the sip phone system, but also the ssh and http security holes that can be hacked. In all three, the password may be "excellent", but that does not stop an outside force from attempting a Brute Force password attack. During the attack, the server will behave poorly (perhaps even a Denial of Service condition). If you have one user/account with a poor password, the hacker may even gain access ... and at that point you have serious problems.

Also of note: the phpMyAdmin folder should be further locked down with a password applied to the folder itself in apache to avoid anyone (even inside the organization) from getting the opportunity to guess at any mysql user passwords (especially if one of those is "cron/1234", which does not require a whole lot of "guessing").

williamconley wrote:it is best to whitelist-lock your "iptables" firewall.

The only issue I can think of with this is agents who need remote access.

User's on home DSL connections that are not assigned a static IP.

I guess it's a trade off - grant remote agent access = increased risk exposure to nefarious activities by undesirables.

There are some advanced solutions like port knocking to open up access.
Eg - Remote agent runs software that knocks and opens up a access so their softphones and browsers can connect.

I always recommend using IAX2 for dynamic IP remote agents. IAX2 is not as wide spread as SIP so there are less attacks on it. All the same you should also setup Fail2Ban which looks for attacks and bans the IP address. It is recommended to use the web phone if using Fail2Ban though. That way you do not have to worry about the agents accidentally banning themselves while getting their phone setup.

In addition to that you can always change the Phone Context on their phones from default to a nonexistent context or one with very limited capabilities. This way if their phone does get hacked the attack will not be able to place any calls, but the agent will still be able to use Vicidial.

An important SIP config option for Asterisk is to set alwaysauthreject = yes in the general section of the sip.conf file. I'm not sure if this is on by default in ViciBox. As with any publicly accessible service strong passwords are required. Fail2Ban is a good idea but be aware of its caveats.

There are other possible attack vectors like phpMyAdmin, as mentioned, as well as any accessible web pages.

http://blogs.digium.com/2009/03/28/sip-security/
http://www.fail2ban.org/wiki/index.php/Asterisk

We have a method using the iptables xt_recent module combined with a sql table and web page (to populate the xt_recent module "good" file when login=success) on a port other than 80 that allows for Dynamic IP logins.

With a pure whitelist in place, we open an otherwise unused port, and serve a special web site on it with no index (so no page shows up unless you KNOW the web page).

Once on that page, the agent logs in ... if they succeed, their IP is added to the Good list (and stored in the table for the day) and suddenly their IP address is whitelisted (for the rest of the day ...).

So far, we've never had an ATTEMPTED breakin after installing this.

I wish I could add it to Vicidial, but it's an installer thing and I'm not sure it would be viable for everyday users (they tend to freak out about the whitelist lockdown until they NEED it, which usually takes a few weeks).

If requested, I can post it again. I think I posted it about a year ago. Or maybe I'll put it on the wiki. Or both. LOL