The World of VoIP, Asterisk and Linux

There are various types of malicious hacks on Linux systems. When dealing with Asterisk server, most common one is that of registering a SIP extension from a hacker’s machine and use it to make expensive international calls. This is financially the most damaging and can easily costs in thousands of dollars in a few hours. Unfortunately by the time an admin finds out about it, few hours have already passed, meaning the company has incurred a loss of a few thousand dollars.

To have something like Fail2Ban is a must to avoid this situation. Instructions about it I have in another blog here.

In this blog I am going to suggest what an asterisk system admin should do once his server is hacked, and he has become aware of it. I assume that you do have iptables or some sort of firewall installed. How you become aware of a hack depends upon your understanding of your system. You should know regular call patterns on your server. Hackers start sending tens of calls per second, which is clearly visible both from the asterisk CLI and the CDR. For example if a hacker is trying to call the UK, you’ll see calls with multiple prefixes, e.g. 001144, 0044, 01144, 1144, and so on. The way calls are made makes it very clear that somebody is trying to guess the dial out pattern from your asterisk server.

Another symptom of a hacked server is that genuine extensions go offline and your users can’t make calls. This is because the hackers usually put so much load on the server that Asterisk can’t keep up with the users registrations and can’t serve their requests to make calls.

When you find out that your asterisk is hacked, without panicking, start working on two things: 1) Find out the extension(s) which are being used by the hackers and 2) find out the IP address(es) involved in making these calls. This will take only a few minutes. If you can afford, you can stop the asterisk server using command ‘stop now’ but it’ll also affect your genuine users, so better not do it. You don’t need to give them impression that your service can interrupt their calls, and also don’t need to tell them that your server was hacked, as it will make your customers feel insecure.

To find out which extensions were making these calls, there are various ways to do it, one of which could be to go in to asterisk CLI and look for the active channels:

asterisk -vvvr
set verbose 0
show channels

I set verbose to zero to get an empty screen, otherwise fast scrolling messages will make it impossible to see the output of any command.

By simply looking at the output of ‘show channels’ you should be able to figure out which extension(s) are making suspicious calls. Usually it is one extension which has a lot of international calls attached to it, which obviously a genuine user can’t do. Lets say you figure out that it is extensions 200 and 201.

Now go to your sip.conf or [...]

Security of a Asterisk based VoIP server is absolutely necessary when putting it into production. There is an unlimited number of hackers who are all the time looking for insecure Asterisk servers, and once they hack into one, they waste no time to compromise it for making expensive phone calls. It takes merely a few minutes to generate enough calls to cause a few hundred dollars worth of damage to the owner of a compromised server. Usually it takes a few hours before the owner of the server notices that something fishy is going on, but by that time the loss can already be a few thousand dollars.

There are various measures to secure a Linux server. As for the Asterisk part, international calling and expensive destinations MUST be disabled for all the new users by default, and only trusted users should be allowed to dial these destinations. This way even if such a server is compromised, the loss will be minimal.

Here we’ll discuss how to use Linux’s built-in firewall, which is called iptables, to secure a Linux server.

You should know that TCP/IP networks are very innocent and assume other people in the world are also equally innocent, and so they are not aware of bad hackers, criminals and similar inhabitants of the world. They welcome all the network traffic with open heart and offer them the best hospitality which they can.

This means that all the Linux servers are wide open to the network traffic by default and their network connections are completely insecure. They accept all the traffic on all the ports from all the IP addresses, and respond to all the requests.

Blocking access for all except for the selected ones

If the server doesn’t need to be accessed by everybody and only a selected few IPs or networks should be able to access it, then the first step should be to block ALL the network traffic. This must be done while logged onto the server locally, and not remotely, otherwise you would block your own self too.

iptables -P INPUT DROP

Next, allow the IP addresses which you would like to access the server, e.g. to give access to google.com at 173.194.32.104 do this:

iptables -I INPUT -s 173.194.32.104 -j ACCEPT

If you don’t have access to the server locally, and you are logged in via ssh or telnet, then you can do the following:

iptables -A INPUT -s ! 173.194.32.104 -j DROP

This will drop all incoming network traffic except from the given IP address. But be careful when using this command, because a mistake in the IP address will lock you out from the system.

If you want to allow your local network to access the server, and network address is 192.168.1.0 with netmask of 255.255.255.0, do this:

iptables -I INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT

If you have multiple network interfaces and you want to apply iptables rules to only selected one(s), do it like this, e.g. for eth0 it’ll be:

iptables -I INPUT -i eth0 -s 173.194.32.104 -j ACCEPT

Blocking access for SIP [...]