Home Forum Developers General discussions PBX security

JRPassphrase Registration Control

In order to register on this site, you must first submit the passphrase below.

TODO list for each hardware target can be found as sticky topic in the corresponding forum


admin
useravatar
User Info

PBX security

Hi Guys,

Recently few people using Switchfin reported that their PBXs have been hacked.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints,
the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack
and defraud SIP endpoints including Asterisk-based systems as the one Switchvoice manufacture.
There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions,
and then scan valid extensions looking for passwords.

There are few simple things you may do to increase the security of your PBXs.

   1. Put your PBX behind router/firewall and open given port only if necessary.
   2. Use not trivial SIP/IAX user names and long difficult passwords. Never use user name and password being the same.
   3. Use the new deny/permit feature in the Switchfin GUI. As general practice always do this in case you need to connect to your PBX from outside of your local network and therefore you need to open SIP port 5060 on your router. For example to allow single IP (in this example 216.207.245.47) you will register from specify in the GUI rules like this. Note that rules order is important!

http://www.switchfin.org/images/deny_permit.jpg

Thanks Jason for implementing this really nice new feature!

   4. You may consider changing the SSH password of your PBXs being more complex.

Please pay attention before you get hacked.
After all VOIP is to make the communication easier, more convenient and cheap.

Best Regards
Dimitar



Edited By:  admin
Sep-19-10 12:04:21

Administrator has disabled public posting
ckleea
useravatar
User Info

Re: PBX security

Great features. However, will you also implement features such as drop connection by selected port numbers or iptables?


Administrator has disabled public posting
admin
useravatar
User Info

Re: PBX security

Hi Ckleea,

Yes iptables is on the way.

Cheers
Dimitar


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

Hello,

I've got an ip02 with switchfin and tried to compile switchfin lastest version with iptables. I used menuconfig to select It.

It works fine :
root@ip0x:~> iptables -V
iptables v1.4.5

However, i've got this message when i try to add a rule :

root@ip0x:~> iptables -A INPUT
modprobe: module ip_tables not found in modules.dep
iptables v1.4.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Any idea ?

Thx.


Administrator has disabled public posting
ckleea
useravatar
User Info

Re: PBX security

Perhaps, you may try manually add the rules to the file.
I am compiling the latest firmware and not yet able to test iptables. But really look forward to see a working version.


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

I can't add any rule...I think iptables is installed but not loaded.

root@ip0x:~> lsmod | grep ip
root@ip0x:~>

I wait for you to test your version with iptables.


Administrator has disabled public posting
ckleea
useravatar
User Info

Re: PBX security

On the way, I only use an atom pc to compile. Will need to take sometimes to finish.


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Looks like the 'netfilter' modules are not being installed.
Looking into it now!

Thanks
Jason


Administrator has disabled public posting
ckleea
useravatar
User Info

Re: PBX security

I have the same error as Florian. I can't find netfilter


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Hi Guys

rev 431 should work i can see netfilter in the kernel config and iptables in the application settings, i'm running a full compile now to test.

Thanks
Jason


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Hi Guys

I can confirm that iptables is working in rev 431 on IP02.

Thanks
Jason


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

I confirm iptables in rev 431 is working fine on IP02.

Thanx for help.
Florian


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

No problem thanks for supporting and using SwitchFin.

Thanks
Jason


Administrator has disabled public posting
ckleea
useravatar
User Info

Re: PBX security

Same here, no more error at IP01. Will test further on the rules.


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

Works great with basic iptables rules. But when I try to insert custom rules like :

root@ip0x:~> iptables -i eth0 -A INPUT -p udp -s 212.27.52.5 --sport 5060 -m length --length 60 -j DROP
iptables: No chain/target/match by that name.

it doesn't work...

Finality is to avoid this log message in asterisk : "chan_sip.c:7338 determine_firstline_parts: Bad request protocol Packet" every second...

Do people have same problem ?

Thanks.
Florian


Administrator has disabled public posting
admin
useravatar
User Info

Re: PBX security

Hi Florian,

Thank you for the feedback!
You are trying to use features which seems to required Advanced net-filter support in the kernel.
Currently we don't have CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH enabled so thast why you cannot match the packet length. We plan to define extra feature in the Switchfin menuconfg to enable some advance netfilter options.

What is the SIP device you are trying to register to the PBX?

Best Regards
Dimitar


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

Hi,

My SIP provider is a french provider who doesn't use SIP/2.0 and logs were inconveniant.

I compiled a new image and manualy add CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH.

Everything's ok for this features now

Thanx for debugging.
Florian


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

I'd like to use iptables on the IP01: What steps are required precisely to modify the latest Switchfin source code (SVN 500) to compile Netfilter + iptables?

Thank you.


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Hi Gilles

I have just updated the GUI and added an iptables manager to compile please follow the below instructions.

First of all you want to delete you build_ip0x dir this will ensure a completely fresh make. 

Next run make menuconfig
Select "Package Selection for the target"
Select "iptables"
Select "Exit"
Select "Exit" again and "yes" to saving your configs
run "make" then "make image"

iptables should be installed in your newly created uImage, The GUI is set to update its self on every "make" so iptables should be in it to.

Any rules added in the GUI will get saved to "/etc/sysconfig/iptables" after clicking the "Apply/Run Rules" button.

you will have to add "iptables-restore /etc/sysconfig/iptables" to the /etc/init.d/network script to make sure the rules are loaded every boot.

Thanks
Jason


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Thanks Jason. So Florian's manual addition of CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH to some configuration file is no longer needed?


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Hi Gilles

You only need to enable CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH if you want advanced iptables, for standard firewalling (port/ip/protocol) you should be fine.

Thanks
Jason


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Indeed, I'd like to use those advanced settings: In which configuration file should I add those two items manually?

Thank you.


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

Hi,

I think I manually add those advanced settings by editing file package/iptables/config.iptables and set options I need to "y". Then compiling let me choice for other options.

I'm not sure of this because I use asterisk 1.6 which doesn't need Cirpak exclusion.

Tell me if this doesn't work for you i will try by myself again.

Florian


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Yup Florian is right altering package/iptables/config.iptables should over right the normal kernel config as long as you select iptables in make menuconfig.

Thanks
Jason


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Thanks for the clarification.

However, after editing config.iptables to add the two line, and running "make", I'm prompted to validate every single option!

Here's what I did:

rm -Rf /usr/src/switchfin
svn co https://switchfin.svn.sourceforge.net/s … fin/trunk/ switchfin
=> release 503
   
make menuconfig > Package Selection for the target: select iptables

vi package/iptables/config.iptables, and those two lines:
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y

And when running "make":
...
Enable the memory protection unit (EXPERIMENTAL) (MPU) [N/y/?] n
Netfilter NFQUEUE over NFNETLINK interface (NETFILTER_NETLINK_QUEUE) [N/m/y/?] (NEW)
etc.

What does "make" prompt the user for this, and how to avoid it?

FWIW, this doesn't occur when I leave config.iptables alone.

Thank you.


Administrator has disabled public posting
Florian
useravatar
User Info

Re: PBX security

Maybe you can add each option prompted to you in config.iptables, so they won't be unconfigured where running "make" next times.


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Right, but I'm prompted a bazillion times, so it's going to take a long time going through the list.

Nobody knows why make decides to prompt for each option simply after adding some manually?


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

Hi Gilles

here is my config.iptables with CONFIG_NETFILTER_ADVANCED and CONFIG_NETFILTER_XT_MATCH_LENGTH enabled

Code:



CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y

#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
# CONFIG_NETFILTER_NETLINK_LOG is not set
CONFIG_NF_CONNTRACK=y
# CONFIG_NF_CONNTRACK_SECMARK is not set
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
# CONFIG_NF_CONNTRACK_IRC is not set
CONFIG_NF_CONNTRACK_SIP=yl
CONFIG_NF_CONNTRACK_H323=y
# CONFIG_NF_CT_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
# CONFIG_NETFILTER_XT_TARGET_CONNSECMARK is not set
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_MARK is not set
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
# CONFIG_IP_VS is not set

#
# IP: Netfilter Configuration
#
# CONFIG_NF_DEFRAG_IPV4 is not set
CONFIG_NF_CONNTRACK_IPV4=y
# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set

CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
# CONFIG_IP_NF_TARGET_LOG is not set
# CONFIG_IP_NF_TARGET_ULOG is not set
CONFIG_NF_NAT=y
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y
# CONFIG_NF_NAT_AMANDA is not set
# CONFIG_NF_NAT_PPTP is not set
CONFIG_NF_NAT_H323=y
CONFIG_NF_NAT_SIP=y
CONFIG_IP_NF_MANGLE=y

Thanks
Jason


Administrator has disabled public posting
Gilles
useravatar
User Info

Re: PBX security

Thanks Jason. Using the above, we end up being prompted for a very big number of options:

www.pastebin.com/ECRNJBsi

Using the following options in config.iptables answers all the prompts, although I probably don't need most options but don't have the knowledge to know which are required and which arent:


CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_H323=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=y
CONFIG_NF_CONNTRACK_PPTP=y
CONFIG_NF_CONNTRACK_SANE=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_CT_NETLINK=y
CONFIG_NETFILTER_TPROXY=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
CONFIG_NETFILTER_XT_TARGET_DSCP=y
CONFIG_NETFILTER_XT_TARGET_MARK=y
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
CONFIG_NETFILTER_XT_TARGET_RATEEST=y
CONFIG_NETFILTER_XT_TARGET_TPROXY=y
CONFIG_NETFILTER_XT_TARGET_TRACE=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=y
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_DCCP=y
CONFIG_NETFILTER_XT_MATCH_DSCP=y
CONFIG_NETFILTER_XT_MATCH_ESP=y
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
CONFIG_NETFILTER_XT_MATCH_HELPER=y
CONFIG_NETFILTER_XT_MATCH_IPRANGE=y
CONFIG_NETFILTER_XT_MATCH_LENGTH=y
CONFIG_NETFILTER_XT_MATCH_LIMIT=y
CONFIG_NETFILTER_XT_MATCH_MAC=y
CONFIG_NETFILTER_XT_MATCH_MARK=y
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
CONFIG_NETFILTER_XT_MATCH_OWNER=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
CONFIG_NETFILTER_XT_MATCH_QUOTA=y
CONFIG_NETFILTER_XT_MATCH_RATEEST=y
CONFIG_NETFILTER_XT_MATCH_REALM=y
CONFIG_NETFILTER_XT_MATCH_RECENT=y
CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT=y
CONFIG_NETFILTER_XT_MATCH_SCTP=y
CONFIG_NETFILTER_XT_MATCH_SOCKET=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
CONFIG_NETFILTER_XT_MATCH_STRING=y
CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_TIME=y
CONFIG_NETFILTER_XT_MATCH_U32=y
Note: If you run "make clean ; make", you'll be prompted for all those options again. In this case, after running "make clean", run "make menuconfig" > Target Architecture Configuration > Custom Kernel Options, then run "make" and enable support for Advanced Netfilter options.


Administrator has disabled public posting
Albi90
useravatar
User Info

Re: PBX security

mmmm strange i ran a full clean make this morning and didn't get prompted for the extra kernel options.

Thanks
Jason


Administrator has disabled public posting

Board Info

Board Stats:   Total Users: 2585  Total Topics: 299  Total Polls: 1  Total Posts: 1727  Dormant
User Info:   Newest User :  dursber   Members Online: 0   Guests Online: 81
Online  There are no members online
Topic
New
Locked
Topic
New
Locked
Sticky
Active
New/Active
Sticky
Active
New/Active
New/Closed
New Sticky
Closed/Active
New/Locked
New Sticky
Locked/Active
Active/Sticky
Sticky/Locked
Sticky Active Locked
Active/Sticky
Sticky/Locked
Sticky/Active/Locked