Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office Security / Hacking

Status
Not open for further replies.

bm97ppc

Programmer
Apr 24, 2004
43
GB
OK Our SIP provided Disabled our account last night on the grounds of Fraud, fair enough. So I check the Call log at the provider and 2 call showed 15 Mins before the email from the provider, both to +38 (not made by us). So 10 points to Voiceflex for the rapid intervention.

Anyway, I want some other view point on security. I will be the first to admit I am a bit slack with security on our own and our customers systems on the bias I don't believe there to be a threat in our setup, but I more than willing to be corrected. I hear more and more about SIP Fraud all the time so I’m concerned that I’m missing something especially given the above although I am suspicious of the above in that It didn’t take place via our PBX but via a direct registration from a US IP.

Our Setup
All PBXs sit behind a firewall (Sonicwall).
The number of ports open varies a bit as this seems to be a bit hit and miss with the various Sonicwall Firmware’s and to a lesser degree IP software level and the combination of the 2. Some require none and NAT takes care of it all others I have needed to open 49152 - 53246 and 5060 for some to work. The UDP timeout is also extended >15 mins in relation to traffic to and from IP of PBX.
No users have Dialin enabled.
none of the User/security accounts have been changed / disabled and are all default.
with exceptions to ours, no customers PBX allow external SIP registrations.

We have a site to site VPN using the Sonicwalls to all customer sites, so remote management takes place over VPN or actually on site.

I consider the Customers & our LANs to be secure though various IPS and other systems in place. I relies leaving the Account defaults in place is a risk but as most of our customers barely know how to use Word and none have Manager installed. They are all small customers 1 – 20 users and I know every single one of them at every site and there technical abilities. We are notified of any 3rd parties on site.

So, Have I overlooked something above?
A side from plugging into the LAN is there any way to remotely manage the IP office if Dialin is not enabled for any user?
If you did have access to the IP Office could you read the detail of the SIP trunk (the password).

As the fraud originated from a US IP I can only assume our SIP Trunk info has been compromised and not our PBX or if it has it has been used to reveal the SIP trunk info.

 
Hi!

Let me guess, they dialled +38166604xxxx?

First of all, yes, you can connect manager to the IPO if there is a routing allowing it and the ports are open.
Look for 0.0.0.0 on LAN2 (or the LAN 1, if that's where you get your SIP Trunk in). Easy way to discover: SSA> IP routes.
A 0.0.0.0 should be pointed to an inside unused address.
Same thing on the Sonicwall, is everyone invited to the party?

Change any default passwords and disable accounts that are not in use. Don't forget the security account!

If your system was used to make the calls, you probably have auto create extn enabled (there are more than 1 place you enable that).
Look in your config, you would most likely find a massive increase of extn and users like EXTN2345.

Would not hurt to enable the internal firewall on the IPO LAN2 either, but it's not a top notch firewall, so use it as a second barrier.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
LAN 2 is never connected, it is all NAT through LAN1 and the Sonicwall. How does this allow Manager access? Or could you describe how I could test for this from the WAN. There is no Route so i don't see how it is possible but again willing to be enlightened. Am I correct in thinking that with no users with Dialin checked that remote access via a Trunk is not possible?

There has been no additional extensions created, and as mentioned I believe the fraud calls were made not via the IP Office but using another PBX based in the US. So somehow the SIP Trunk details have be Compromised and I can only think of 4 Way for that:

1) Brut force Attack on provider.
2) I / We disclosed the detail to someone either knowingly or or unknowingly.
3) The Provider has disclosed the detail to someone either knowingly or or unknowingly.
4) The Details have been revealed buy the IP Office.

I'm investigating 1 - 3 but assuming it is not any of them, that leaves 4. Now even if I had manager access to the IP Office the SIP Credentials are ***** so is there another way to get them?





 
If the call log was at the provider level, and not the PBX level, someone used your credentials to make a call. They just brute forced the password. It is not hard to do if you know a providers common password scheme. Typically, they give you a registration name, and password, you don't make it up yourself. Your provider (if it's a good one) should have a log of all registration attempts on your account, and should see the IP(s) that the calls come from. Registration is handy, but if someone knows your password, it opens the flood gates. You need to have them lock down registration to your wan IP, as well.

-Austin
ACE: Implement IP Office
qrcode.png
 
I have noted that the Provider now allows you to Lock down the registration to a WAN IP which I will be implmenting for all of our SIP Connected PBXs ASAP.

I will check with the provider for any auth logs, but I suspect they will not be avalible.
 
You're welcome[smile]

...add that credentials you can get from the config, so check if you can access it with Manager/Monitor from the outside.

But, probably it happened like Austin described.

Your provider caught it after 2 calls, 15 minutes.
They must have had that number in their fraud database, nobody is that quick:)

BTW, +38 is either Balkan countries or Ukraine, depending on the 3rd digit.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 

That was my thinking, They did seem to be very quick to pick it up. We make sure the Daily call Limit is set on all our accounts to limit exposure (£30 for us before account in disabled). There email pretty much blamed our PBX setup but my conclusion was as AAcon. Here is the call log:

+381680895681 05/12/2013 16:22:29 8******2 11 4 £0.02
+381680988768 05/12/2013 16:22:44 8******2 16 8 £0.035

So a 4 & 8 second call, that was a very quick intervention and does seem a bit fishy, but the purpose of the post was check I have not overlooked anything.

I have tested Manager & Monitor and there is no access to the 3 customer via the WAN so seem secure, I will test more but 3 seemed prove a point. I realise the risk of the default accounts but only last week I was very grateful they were there as randomly one IPO would allow me monitor access but no Manager access, I had to use one of the default account to create a new login to let me in. after I resaved the config it was all back to normal weird!!! That could have been a lot harder with all the accounts removed.



 
That's Beograd, Serbia. unlisted number.

Impossible to say if you have done everything right, but it seems like you are pretty safe on the IPO side.

Do you have any reporting tools like Chronicall installed? If not, you could activate logging on your Monitor.
Nice to show your provider if it happens again and it didn't originate in your system.

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

2cnvimggcac8ua2fg.jpg
 
I have had the same issue but with VOIP Unlimited. It has happened to 3 different customers. I have changed the passwords on the system disabled all the unused accounts and turned DOS on the Draytek routers.

My advise to all would be make sure you don't leave any unused accounts enabled and change the passwords on the accounts you do. (the same as what Gunnaro said.)

make sure that the routers don't leave themselves open to attacks. Enable firewall and DOS if possible.

If anyone can give me anymore info on how they are getting the passwords a would be happy.

logo.jpg
 
Dear All,

I have had a couple of customers that have had there SIP accounts hacked. It has taken me a while but I think I know how they did it.

They are using the external IP address to get to the system (maybe by Nat/port forwarding.) They are logging into manager using any default accounts that have been left enabled and passwords not changed.
e.g. Operator or Manager users.

I hear you say that is impossible as when you log in as Manager or Operator you cant get to the SIP username and password as it is grey out. And yes you are correct. BUT if you go to import/export and export the config, the username and password for the SIP is all there. (Column BO)

The moral of the story is to make sure all accounts not used are disabled or passwords changed.

I can hear you all saying holy S**T and logging into all systems that have accounts enabled and default passwords and changing them.

Many thanks!

logo.jpg
 
The most important step
Do not allow direct access to the IPO from the internet.
remote access should be either from an ISDN dialup account with secure username & password(you are changing the default for remote manager arnt you?) preferably restricted to known CLI's where possible or through a VPN connection, again restricted to specified source IP addresses where practical.

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
Thanks Blow83 that is useful to know.

I also found something useful in System Status App > Resources > Control Unit Audit there is a full log of all Changes to config and failed logins with the IP they came from and the username of logged on user. That might help some identify if they have been attacked. Unfortunately it does not show successful logons only changes. But if you have changed the default accounts then it would highlight failed attempts and where they came from.

Regards

Piers
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top