Asterisk VoIP - how to fight off hackers or “bloopers” in setting up gateways
Our company uses a distributed development model, the company's network unites several offices, remote developers from Belarus and Russia. We have implemented and use a telephone network built on the basis of the software PBX Asterisk 1.6 (CentOS 5.5) - connection via VPN and white IP.
Not that time ago, or rather, in January 2011, we discovered that calls from numbers 8102526 came to the office ... etc., and after some time, all the lines on one of the gateways were fully occupied, it was simply impossible to reach us. When I saw what was happening with the gateway, there was no limit to surprise ... In the asterisk logs there was not even a hint about downloads and calls, and the gateway called Honduras, Zimbabwe, Afghanistan, etc. on “black” “samali” cases. The gateway worked through external IP, the connection to the gateway was closed with a password, but the change of passwords did not prevent the pirates from stealing phone traffic ...
')
Total:
Dlink 6004s gateway - (as it turned out later, not only it) - even with configured password access to trunks (lines), it happily receives “Invite” on port 5060 and calls to any country and to any number ...
Calls to 810 were disabled on the gateway .., the gateway itself was hidden behind NAT, and until March we thought it was all gut ...
And behind one of the NATs in the remote office, there was Dlink 7111s - it allows you to connect one phone and one phone line - “Samalian friends” went around NAT, and continued their business at our expense ...
Findings:
Firstly, monitor equipment that could cause damage, such as VoIP. Thank God, the gateways were captured in just a few days, and the damage could have been significantly greater (hacking in January + hacking in March = $ 1000, and this is in 5 days).
Secondly, NAT does not save by itself ... maybe a VPN , but if someone who gets access to it, or gets into a trojan, it will not save the same.
Thirdly:
Not that time ago, or rather, in January 2011, we discovered that calls from numbers 8102526 came to the office ... etc., and after some time, all the lines on one of the gateways were fully occupied, it was simply impossible to reach us. When I saw what was happening with the gateway, there was no limit to surprise ... In the asterisk logs there was not even a hint about downloads and calls, and the gateway called Honduras, Zimbabwe, Afghanistan, etc. on “black” “samali” cases. The gateway worked through external IP, the connection to the gateway was closed with a password, but the change of passwords did not prevent the pirates from stealing phone traffic ...
')
Total:
Dlink 6004s gateway - (as it turned out later, not only it) - even with configured password access to trunks (lines), it happily receives “Invite” on port 5060 and calls to any country and to any number ...
Calls to 810 were disabled on the gateway .., the gateway itself was hidden behind NAT, and until March we thought it was all gut ...
And behind one of the NATs in the remote office, there was Dlink 7111s - it allows you to connect one phone and one phone line - “Samalian friends” went around NAT, and continued their business at our expense ...
Findings:
Firstly, monitor equipment that could cause damage, such as VoIP. Thank God, the gateways were captured in just a few days, and the damage could have been significantly greater (hacking in January + hacking in March = $ 1000, and this is in 5 days).
Secondly, NAT does not save by itself ... maybe a VPN , but if someone who gets access to it, or gets into a trojan, it will not save the same.
Thirdly:
- Dlink and Linksys gateways (the acquaintances got $ 10K and even tried to sue Linksys to no avail), by default they accept Invite on port 5060 and any “guest” can initiate a call, for this you need a normal IP phone ...
- To save peacefully, it is better to order the service of the telephone operator “banning certain types of communication” and turn off the possibility of international, mobile and other expensive calls - the best defense would be the physical inability to call
Source: https://habr.com/ru/post/118976/
All Articles