There are various types of malicious hacks on Linux systems. When dealing with Asterisk server, most common one is that of registering a SIP extension from a hacker’s machine and use it to make expensive international calls. This is financially the most damaging and can easily costs in thousands of dollars in a few hours. Unfortunately by the time an admin finds out about it, few hours have already passed, meaning the company has incurred a loss of a few thousand dollars.
To have something like Fail2Ban is a must to avoid this situation. Instructions about it I have in another blog here.
In this blog I am going to suggest what an asterisk system admin should do once his server is hacked, and he has become aware of it. I assume that you do have iptables or some sort of firewall installed. How you become aware of a hack depends upon your understanding of your system. You should know regular call patterns on your server. Hackers start sending tens of calls per second, which is clearly visible both from the asterisk CLI and the CDR. For example if a hacker is trying to call the UK, you’ll see calls with multiple prefixes, e.g. 001144, 0044, 01144, 1144, and so on. The way calls are made makes it very clear that somebody is trying to guess the dial out pattern from your asterisk server.
Another symptom of a hacked server is that genuine extensions go offline and your users can’t make calls. This is because the hackers usually put so much load on the server that Asterisk can’t keep up with the users registrations and can’t serve their requests to make calls.
When you find out that your asterisk is hacked, without panicking, start working on two things: 1) Find out the extension(s) which are being used by the hackers and 2) find out the IP address(es) involved in making these calls. This will take only a few minutes. If you can afford, you can stop the asterisk server using command ‘stop now’ but it’ll also affect your genuine users, so better not do it. You don’t need to give them impression that your service can interrupt their calls, and also don’t need to tell them that your server was hacked, as it will make your customers feel insecure.
To find out which extensions were making these calls, there are various ways to do it, one of which could be to go in to asterisk CLI and look for the active channels:
asterisk -vvvr set verbose 0 show channels
I set verbose to zero to get an empty screen, otherwise fast scrolling messages will make it impossible to see the output of any command.
By simply looking at the output of ‘show channels’ you should be able to figure out which extension(s) are making suspicious calls. Usually it is one extension which has a lot of international calls attached to it, which obviously a genuine user can’t do. Lets say you figure out that it is extensions 200 and 201.
Now go to your sip.conf or wherever you have your sip users defined, or in case of real-time architecture, open the table which has entries for sip users (default is `sip_buddies`). Here simply change the ‘secret’ for extensions 200 and 201. Once done do a:
sip show peers like 20 sip reload
You can omit ‘sip reload’ which is only partially effective at this stage because it won’t kill the in progress calls, and you’ll have to wait for the registration to time out, but by using ‘sip show peers’ command you’ll get info on the IP addresses which are used to register extensions 200 and 201.
Once you know the IP addresses, block them in the iptables. For example if the bad IP address is 173.194.32.104, do the following:
iptables -I INPUT -s 173.194.32.104 -j DROP
If you can’t use iptables due to any reason, then block the IP address at whatever firewall you have.
If you don’t have any firewall, then you are yourself responsible to harm yourself, don’t blame the hackers. In this case the most effective option is only to restart asterisk:
restart now
which will kill all the calls, including the genuine ones, and restart asterisk. Once restarted, the bad IP address(es) won’t be able to register on asterisk because of the changed SIP secrets.
Once things are in control, contact the users of these extensions and tell them that their sip secrets have been changed. Tell them to be careful with their sip secrets as their extensions were compromised. As a good practice, use really long and difficult to guess secrets. I would suggest to use 20 character long alphanumeric secrets.
Recent Comments