SIP Security

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

SIP Security

Postby zando101 » Thu Jun 21, 2012 8:00 am

One of our VOIP providers, Xcast, authenticates by IP only.

In their welcome note they say:

Our security team recently ran a SIP scanning application against our customer accounts and found that
many of them do not block SIP messages from unknown IP addresses. We also found that many of the
systems were wide open and would relay calls from ANY SIP device


Do you think this applies to a default ViciBox install?

I understand the part about allowing connections to 5060 from anyone but do you think ViciBox will relay calls from any device by default?

ViciBox comes fully password protected right? Though the default password is "test" it's still a password.

I'm no guru on this subject matter but am investigating and very much appreciate others thoughts on this.

Thank you.
zando101
 
Posts: 20
Joined: Mon Mar 26, 2012 11:36 pm

Re: SIP Security

Postby williamconley » Thu Jun 21, 2012 8:24 am

Vicidial is not an open sip danger, but it can be hacked. Since it is not a public system (you do not need to accept connections from random public!) it is best to whitelist-lock your "iptables" firewall. This will not only secure the sip phone system, but also the ssh and http security holes that can be hacked. In all three, the password may be "excellent", but that does not stop an outside force from attempting a Brute Force password attack. During the attack, the server will behave poorly (perhaps even a Denial of Service condition). If you have one user/account with a poor password, the hacker may even gain access ... and at that point you have serious problems.

Also of note: the phpMyAdmin folder should be further locked down with a password applied to the folder itself in apache to avoid anyone (even inside the organization) from getting the opportunity to guess at any mysql user passwords (especially if one of those is "cron/1234", which does not require a whole lot of "guessing").
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20278
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: SIP Security

Postby zando101 » Thu Jun 21, 2012 10:37 am

williamconley wrote:it is best to whitelist-lock your "iptables" firewall.


The only issue I can think of with this is agents who need remote access.

User's on home DSL connections that are not assigned a static IP.

I guess it's a trade off - grant remote agent access = increased risk exposure to nefarious activities by undesirables.

There are some advanced solutions like port knocking to open up access.
Eg - Remote agent runs software that knocks and opens up a access so their softphones and browsers can connect.
zando101
 
Posts: 20
Joined: Mon Mar 26, 2012 11:36 pm

Re: SIP Security

Postby mcargile » Thu Jun 21, 2012 11:38 am

I always recommend using IAX2 for dynamic IP remote agents. IAX2 is not as wide spread as SIP so there are less attacks on it. All the same you should also setup Fail2Ban which looks for attacks and bans the IP address. It is recommended to use the web phone if using Fail2Ban though. That way you do not have to worry about the agents accidentally banning themselves while getting their phone setup.

In addition to that you can always change the Phone Context on their phones from default to a nonexistent context or one with very limited capabilities. This way if their phone does get hacked the attack will not be able to place any calls, but the agent will still be able to use Vicidial.
Michael Cargile | Director of Engineering | ViciDialGroup | http://www.vicidial.com

The official source for VICIDIAL services and support. 1-888-894-VICI (8424)
mcargile
Site Admin
 
Posts: 617
Joined: Tue Jan 16, 2007 9:38 am

Re: SIP Security

Postby Vince-0 » Fri Jun 22, 2012 2:36 am

An important SIP config option for Asterisk is to set alwaysauthreject = yes in the general section of the sip.conf file. I'm not sure if this is on by default in ViciBox. As with any publicly accessible service strong passwords are required. Fail2Ban is a good idea but be aware of its caveats.

There are other possible attack vectors like phpMyAdmin, as mentioned, as well as any accessible web pages.

http://blogs.digium.com/2009/03/28/sip-security/
http://www.fail2ban.org/wiki/index.php/Asterisk
Vince-0
 
Posts: 272
Joined: Fri Mar 02, 2012 4:27 pm
Location: South Africa

Re: SIP Security

Postby williamconley » Mon Jul 02, 2012 8:17 pm

We have a method using the iptables xt_recent module combined with a sql table and web page (to populate the xt_recent module "good" file when login=success) on a port other than 80 that allows for Dynamic IP logins.

With a pure whitelist in place, we open an otherwise unused port, and serve a special web site on it with no index (so no page shows up unless you KNOW the web page).

Once on that page, the agent logs in ... if they succeed, their IP is added to the Good list (and stored in the table for the day) and suddenly their IP address is whitelisted (for the rest of the day ...).

So far, we've never had an ATTEMPTED breakin after installing this. :)

I wish I could add it to Vicidial, but it's an installer thing and I'm not sure it would be viable for everyday users (they tend to freak out about the whitelist lockdown until they NEED it, which usually takes a few weeks).

If requested, I can post it again. I think I posted it about a year ago. Or maybe I'll put it on the wiki. Or both. LOL
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20278
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 57 guests