VCCS Telecom

Linux and SIP hack attempts are all too common. There are dozens of stories out there including a client of mine that incurred $18,000 in losses. Here are a few tips on securing your IP-PBX Phone System.

1) Make sure all passwords are changed from the defaults immediately.

Root:
> passwd

Mysql:
mysql asterisk --execute="UPDATE mysql.user SET Password=PASSWORD('XXXX') WHERE User='root';"
mysql asterisk --execute="FLUSH PRIVILEGES;"

- Don’t forget the Admin passwords if any through the Admin GUI.

- Only login with a standard user account and use “sudo” when needed.

- Consider changing the SSH port to something other than 21

- Use Complex SIP Passwords for Extensions and Trunks!

2) If using VoIP -

- Use IP AUTHENTICATION with your SIP Provider!! Avoid registrations with passwords at ALL costs if you can!
- Instead of using a registration string use “Qualify=yes”.

3) Things to notice in your CLI: "Pinball activity”.

Multiple Messages such as "wrong password for ext xx" or "attempting to register but host is not dynamic" etc. Basically random messages with IP’s that you do not recognize. Don’t confuse them with your remote agents though! Use IPtables to block malicious IPs.

iptables -A INPUT -s x.x.x.x -j DROP (add blocked IP)

(CentOS)

> /etc/init.d/iptables save (save settings)

(Debian)
To allow ONLY specific IPs

iptables -A INPUT -s “friendlyip.1” -j ACCEPT

iptables -A INPUT -s “friendly.ip.2” -j ACCEPT

iptables -A INPUT -s 127.0.0.1 -j ACCEPT # yes, accept connections from localhost.

Save--
iptables -A INPUT -s 0/0 -j DROP

- Don’t forget your remote IP if needed and your ISP/Router/Gateway.

4) There are more root password hack attempts than SIP registration hacks due to linux hack attempts versus targeted SIP hack attempts. Lock down remote SSH wrong password attempts.

1. Open /etc/pam.d/sshd in a text editor.

2. Right before @include common-auth, add the following on its own line:

auth required pam_tally.so deny=3 unlock_time=120

3. Right before @include common-account, add the following on its own line:

account required pam_tally.so reset

- See also: /var/log/auth.log and /var/mail/root for unauthorized access and attempts.

5) Disable un-needed services such as FTP, TFTP, and any other remote access services not needed.

6) Install Fail2Ban - Scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IPs that make too many password failures. It also updates firewall rules to reject the IP addresses.

7) Restrict Default Access -
1) Bind your mysql server to localhost. To do this you need to edit /etc/my.cnf and set "bind_address=127.0.0.1"
2) Enable host based access on your httpd.conf. If you are using the apache server on your local network only, it would be wise to do a bind address to the local network interface

8) Asterisk Based -
1) Edit /etc/asterisk/manager.conf and change 0.0.0.0 to 127.0.0.1
2) Ensure "allowtransfer=no" in /etc/asterisk/sip.conf

Good luck and safe calling!

Download pdf version