Elastix Security Guide Version 2 -2014

8/9/2019 Elastix Security Guide Version 2 -2014

1/26

Disclaimer: Your use of this guide is subject to the following conditions:

* Your application of these notes are entirely at your own risk.

* While tested in a Lab environment, know nothing of your environment and may be totally unsuitable.

* You will not hold myself or any company am associated with responsible for any damages arising from these notes. t is up to you to verify this

documents claims or comments and test in your environment to its suitability.

!lasti" #uide:

!lasti" $ecurity #uide %&.' (&')+

Title !lasti" $ecurity #uide %&.' (&')+

Author ob -ryer

Date Written / Last Modified &//&')

Revision &.'

Replaces Document !lasti" $ecurity #uide %).' (&'))+

Tested on Elastix Version &.&0

Bac!ard "ompati#le 1eleased on !lasti" &.& 2 $ome applies to earlier versions

Elastix Level eginner to !"periencedLinux Level eginner

$et!or Level ntermediate to !"perienced

Latest Document %ource availa#le from www.elasti"connection.com

"redits 3/4

Licence #35 -6L


2/26






Contentsntroduction ............................................................................................................................................

$ecurity 2 4 big beat up77 ...................................................................................................................... 8

nternal vs !"ternal 4ttacks .................................................................................................................... 9

he asics ............................................................................................................................................... ;


3/26






Introduction

$ecurity is a very broad subject and rightly so. t is a very subjective topic as well, and to a certain degree it is

a subject that will never have a definitive end. hatBs why generally dismiss any book that claims to be a

6efinitive #uide to $ecurity. t is a constant living subject, with improvements, changes, retractions and evenchanges in thinking and direction every year.

here is also no subject like security that stirs up the emotions, especially when statements are made, as

everyone has their own views and ideas. he ideas in this guide are from my own personal e"perience mi"ed

with many years of research. can tell you that am active in this area, work in this area on a constant basis

and backed by over ' years of e"perience in the industry, not just the telephony industry.

$ecurity is also not going to be fi"ed by one device that fi"es everything. t is a set of tools, backed up by

procedures, and ultimately followed up by diligent, constant reviewing and monitoring. $ecurity is only as

good as the weakest link in the chain.

Likewise, following this document from start to finish is not going to full protect your system, as there is no

one document that can do this as every system and design is different. !very environment is different. 4ll

this document can do is to provide you with a basic understanding of the tools that you can use and how

they are used.

3o topic presented in this document should be relied on as complete protection for your !lasti" system.

ypically this document will raise a method and you should do your own research into the methodology to

confirm that it will work for you and as to what confidence you can place on its implementation.

Likewise, $ecurity is e"ponentially as you want to make it. You may be able to secure your system to cover9'G of your system using tools/products that you have and no further hardware, you may be able to cover

=?G of your system with a few hundred dollars, but to get to that ==G0, it could cost you thousands of

dollars, and you may still have that )G chance that someone gets through.

his guide will provide you with an introduction on tools and techniHues you can implement to cover that

9'G to =?G. his guide will describe some of the common techniHues that these intruders use as well as tips

and tricks to lessen the possibility of an intruder will make a successful intrusion into your system.

his document you are reading now is a second revision of this document. @ver three years since the original

was written, new vulnerabilities have been found, new techniHues are available and definitely more ways to

monitor are available. 4s stated at the start, it is a subject that will never have a definitive end.


4/26






When implementing security personally work on the basis of four layers which generally come down to the

basics which consist of

• &ire!all

Aost people know what mean here, and the prime security measure needs to e"ist on the

perimeter of your network. have no issue with it e"isting on your !lasti" system, especially as a

properly implemented Linu"


5/26






n this guide you will find that many of the techniHues and ideas implement these either all together or

across a range of implementations. 4s mentioned before, just implementing these ideas will not all of a

sudden make things secure. t is also a case of monitoring your system on a regular basis, investigating what

you see. Aany systems that are IhackedJ are generally not monitored, and if they had monitored on a

constant basis, they would have caught the issue before it moved to a full blown attack, especially as many

of these attacks normally have an investigation stage before they take control of your system.

@ne final thing, there are other measures that can be implemented and are discussed on the nternet,

particularly for pure 4sterisk systems. his document is mainly written around the !lasti" system which, with

a combination of -ree and !lasti" defaults have already implemented some of these measures which

they feel are important.

4s an e"ample, you mind find a document on using the from)sip)external conte"t as a default conte"t. his is

already implemented by -ree and you can confirm this yourself by e"ecuting %*+ %,'W %ETT*$-% under

the 4sterisk CL. his shows you most of the default settings for $


6/26






Security – A big beat up??

You might be wondering if this is all a big beat up, not worth the time. You might be having troubles

wondering if these scripts and hacks are real. Dave a look at this video on

http://enablesecurity.com/products/enablesecurityKvoippackKsipautohackKdemo/ .

his is a #5 tool they are using but it clearly shows how simple these tools are and how Huickly they can

determine a simple password setup.

3ow you are probably thinking, fine, can trace the address it has come from and prosecute them and get

my money back. hink again. Aany of these addresses that these attacks come from are from overseas, and

most of them have no formal legal processes in place that can be initiated. Aany of these attacks appear to

be coming from China, but what has really happened is that the hackers have compromised a server in China

and they are in a totally different country. hey know that the chance of you obtaining information from

Chinese authorities is just about nil.

Whilst we are looking at a #5 tool in the video from a company that makes tools that you can use to secure

your system, the rest of the hacking world has written their own tools. hese tools are faster and probably

even more cunning than what this company has written, which include 1andom word generators, number

generators, using common defaults, and includes looking for known e"ploits.

You might be thinking that they canBt make that many calls on your system, but what is actually occurring is

that they are selling your calls (basically known as oll -raud+. his can be done by calling cards that people

legitimately buy (particular in countries that are not effective to removing this type of issue+, and when they

ring the special number before making a call, it is ringing a hacked %o< that might connect to up to 'other hacked systems, and it tries each one until it has a trunk that works (for instance one or two might

be no longer available as their owners had found them attacked+. o the calling card customer, they just

notice a longer than normal delay, which is not uncommon with international calls.

$till donBt believe !lasti" systems are on the radar, look at the list of features in the %o


7/26






Internal vs External Attacks

@ne of the most common mistakes that many people make is concentrating on e"ternal attacks to the

system (in other words direct attacks from the nternet to their !lasti" system. $ure this is the most common

and in all probability, this is where you should concentrate your resources on.

Dowever there is the possibility that the attack may come from internally. 3ow youBre probably thinking

most people in the company are not capable of such acts as no one has the technical ability and you could

be right, however two scenarios are possible, maybe more.

he first scenario is the possibility that someone downloads a rojan that they install on their workstation

which came with dodgy copy of a soft phone or even a soft phone app for a $martphone (which are

becoming a dime a doMen nowadays+. t could even be one of your level ) technicians trying to do the right

thing and use their initiative. 5nbeknownst to them, it installed a rojan that reports back the e"tension and

password that he entered into the soft phone. he hackers have their first entry point into your system.$eparate to this, it now has the < address of the !lasti" and commences a dictionary attack on the .

-urther in this document, talk about 46$L allowing 'K?' registrations a second, but with a )#b connection

to the , they are now reaching &''K'' registrations a second, it means that they can really move

through hundreds of thousands of passwords in a hour. he chances are high that this rojan can guess

some of your simple passwords.

his may sound like tinKfoil hat type of scenario, but it is possible, in fact wrote a windows application with

no visible #5 that e"ecuted and performed a dictionary attack to show proof of concept. did not continue

with it, as it was meant for a presentation, but run short on time to present it.

he second scenario is a lot more possible and is a common way to attack systems particularly for the more

sophisticated hacker. 4s mentioned before, the security on your system is only as good as your weakest

link. 3ow the attack on your system could come from another server in your organisation. magine this

scenario, you have just had another server installed in your network that has access to the outside world.

his server may have been installed by another third party company that has specific reHuirements, which

includes their access remotely to up keep the server. his server is important to the business as it is a major

part of their business (e.g. this might be a new


8/26






The Basics

efore we move any further forward...letBs cover a few basic mistakes that many users make (Bve made

them as well+. hese are items that can immediately improve the security of your system, and should be the

first items that you tackle.

Passords or Secrets


9/26






t is not the just the possibility of being hacked, but also the possible impact on your !lasti" system and your

network. have seen routers that have not been able to handle the voraciousness of the attack and to the

3etwork manager, it looks like either his/her nternet or 1outer has failed. De reboots his/her router, it

works for &' minutes and it happens all again. Likewise, it almost makes %o< trunks useless as the

communications is so broken up, or the packet loss makes it sound like static is on the line.

$o far have been speaking about passwords, and in most cases they apply to the e"tension

passwords/secrets, however, this same rule needs to apply to your runks either to your %oice


10/26






configuration file e"amples+, and find that turning on 4LL@W 43@3YA@5$ $< is the only way to get it

working. he goes for some of the %$< $etups as well. hey donBt employ any authentication (or even simple

host < authentication+, and as such, the only way to get the connection working is again turning it on. 4

Huick rule is that not all %$


11/26






#i"it installing additional products on your Elastix syste"

@ne of the biggest issues see with !lasti" systems is the disregard for security by implementing products on

the !lasti" system that compromise security, or even if it is not the product itself, then the product allows

the user to compromise security without knowing it.

have come across an !lasti" system where the system owner had decided to use the !lasti" $erver as an

-< $erver as well. $omeone installed -< and configured it. What occurred was someone used a well known

e"ploit of that -< $erver to give themselves root access to the entire system. 3ot only did they get root

access, but they installed a hackers toolkit onto the system. 5nbeknownst to the !lasti" owner, their system

spent many months searching for other systems to hack, reporting back to an 1C channel with any

system that it hacked with all the details. n the meantime, the reliability of their suffered and as did

their internet connection (and they got charged for e"cess nternet+. heir


12/26






$se the Per"it%&eny options in 'reePB(%$ne"bedded 'reePB()

5nder the e"tensions configuration in !lasti" you will see this screen.

4s you can see, you have the ability to add the range of < addresses that you will allow the phones to

connect from. he 6!3Y line as it is set above disallows all addresses (classic deny all then allow specific+.

he permit line is set to allow only a $< device the local network to connect to this e"tension.

he same goes for access to the 4sterisk Aanagement nterface (4A+ which is set by the 4sterisk 4


13/26






Peri"eter 'ireall % *outer

!lasti" has an inbuilt -irewall based on Linu" (


14/26






he number of people who have good intentions of setting up a -irewalled !lasti" system, but ending up

opening their router/firewall to get their !lasti" system working reliably. 4nd it happens this way because

their ItestedJ system went into production, and a day or so later (sometimes the same day+, started

dropping calls or worse still not receiving calls at certain times of the day. his is generally attributed to

being forced to setup of


15/26






can do what you like inside your network knowing that the perimeter firewall is in place and unchanged,

protecting you at all times.

4lternatively if you cannot implement a perimeter firewall, wait for !lasti" &.' which has a #5 ased

firewall based on


16/26






http://blog.sipvicious.org/&'';/'&/detectingKsipKattacksKwithKsnort.html . his one is a bit old now and may

actually be in the standard rules, but it gives you an idea on how e"tensible the $nort 6$ system is.

Elastix 'ireall

4s of !lasti" &.', !lasti" has a #5 ased < ables -irewall. Aany commercial -irewall products rely on <

ables as the basis of their firewall, and the developers have done a great job of implementing an < ables

firewall with a very nice looking Web ased #5.


17/26






f you canBt wait for the !lasti" -irewall product, then you can implement this same security by using


18/26






With -ail&an, it monitors the number of failed authentications from a particular < address. f the failed

authentication attempts matches the number set as part of the -ail&an configuration, then it blocks that <

address for a preset time. his generally causes these $cript Eiddies to look for another system to attempt to

break into. Likewise these dictionary attacks mean that they only manage to try three login/passwords every

)' minutes, instead of 'K?' per second on a system without -ail&ban. he chances of someone successfully

guessing your login and passwords on your system are greatly diminished.

-ail&ban works in conjunction with


19/26






.ther Security /easures

$tilising 0P12s here possible especially !or re"ote Phones

Aore and more -irewall/1outers have the capability to act as a %

system from attack.

Changing the de!ault port !or SS3

@ne of the most common areas targeted for attack is !lasti" systems with


20/26






$tilising 0P12s here possible especially !or re"ote Phones

Aore and more -irewall/1outers have the capability to act as a %

system from attack.

Adding a PI1 Code !or all outbound International Calls

Fuite often, depending on the business type, you will find that the business will not make a lot of

international calls.


21/26






Port 4nocking

n !lasti" &. a


22/26






/onitoring

0oice Provider Call 5uota2s

Whilst this topic straddles the headings of $ecurity and Aonitoring, it actually is very important as it is one

measure that could ultimately save you a large amount of money should your security measures let you

down.

@ne of the more recent changes, especially as %oice


23/26






/onitoring #ogs

-or many !lasti" users, once they have implemented their firewall or other security measures, they sit back

believing everything is covered. hey might have spent a day monitoring it to make sure no mistakes have

been done, but after that, it does not get a thought until something goes wrong, or appears to be going

wrong, or they had a laMy afternoon and decided to have a look.

Like backup systems, you canBt just assume that the backup is working, only to find out when you need it

most, that the backups havenBt been working for several weeks. he monitoring of your !lasti" is just as

important

You need to set a regular procedure to check the logs to monitor for these possible attacks. t wonBt take

long, but you need to do it regularly.

@ne of the log files that you need to review on a regular basis is found at

/var/lo(/secure

he above e"ample shows someone attempting to break into the system via $$D. You can see the users

names that they are trying, and this case they are trying common user names using on 5ni"/Linu" systems.

You will find the archived logs named secure.), secure.& and so on. f your system is under heavy attack from

one of these $cript Eiddies, then you may find that these archived files may contain attack attempts just

from the one day.

4nother file to check regularly is

/var/lo(/audit/auditlo(

his shows the login successes and failures. his is basically the Linu" audit system. You mainly are looking

for unusual login failures which will give you an idea that your system is under attack.

/var/lo(/asteris/full

his is the main asterisk log containing all the information about phone registrations, calls and call flows

amongst much more information. t would be impossible to read these logs line by line, but using IlessJ as


24/26






your viewer, you can search for phrases such as IRegistration”, “Forbidden”, “failed”. You could write an

automated script to look for these or just perform a check every few weeks. Doing this will provide an

indication that someone is attempting to hack your system. Very rarely will an attacker be able to access your

system immediately (unless your system is very insecure), so quite often a successful hack is usually

perpetrated over several days or even weeks. When you start seeing these entries in your logs, you know you

need to look at your security in general and commence security improvements to stop them even trying.

$tilising the ne Asterisk Security #ogging

-rom 4sterisk ).;, there is a new feature which provides a new security feature (thank you for $andro #auci

from !nable $ecurity for originally raising my interest in this new feature+.

t can be enabled by editing the /etc/asterisk/logger.conf (@n !lasti" &. systems+

full TS notice,warning,error,debug,verbose;securit5

and adding the securit5 at the end

or on !lasti" &.?, (-ree


25/26






-ail&ban can make use of this security logging, in fact if you look at any guides on -ail&an, make sure that it

mentions for asterisk ).; onwards as there are some major changes so that it reads these new logs.

/onitoring So!tare

have spoken previously about looking at a %oice $ervice


26/26




* Y ill t h ld lf i t d ith ibl f d i i f th t t i t t if thi

Trade"arks used in this docu"ent

Elastix 2 !lasti" is a trademark of

Documents

Elastix Security Guide Version 2 -2014