Asterisk Stability & Security

advertisement
Asterisk Stability & Security
Protect your investment
Introduction
 What if the server goes down ?
 What if someone hacks into your 8 e1
asterisk server and makes calls to
inmarsat ?
 Inmarsat : 5 euro / min.
In 24 hours, on 8 e1s  1728000 euro
Overview
 Asterisk Performance Update
 Asterisk Stability
 Asterisk Security
 Asterisk Monitoring
Asterisk Performance Update

Updates since Astricon 2004:
- Smaller memory footprint
- Less file descriptors used
- Memory leaks found / removed
- Less RTP ports opened
- Codec optimizations (especially Speex)
- Hardware echo canceller
- FastAGI
- Realtime
- Remote MOH
- ds3000 / te411p
- Channel walk optimization
Astertest Testlab
Astertest Cables
Overview
 Asterisk Performance Update
 Asterisk Stability
 Asterisk server monitoring
 Asterisk Security
Asterisk Stability
 Hardware reliability
 Software stability
Asterisk Stability – Hardware Reliability
 What is the cost of having no PBX service
for your company ?
 What if you are an ISP and your
customers can’t dial out ?
Asterisk Stability – Hardware Reliability
 What if you experience:
- power outage ?
- a broken HD ?
- a broken Zaptel card ?
- a broken server ?
- no Internet connectivity ?
Asterisk Stability – Hardware Reliability
 Power outage:
 Traditional phones are self powered.
Solution: use a UPS to power the (PoE) phones,
the switches, PBX, modem, router,…
 If you have a low power PBX, the phone
system could run for hours on a small UPS.
 Don’t use Ethernet over power for mission
critical phone lines.
Asterisk Stability – Hardware Reliability
 A broken HD ?
 Use raid > 0
 SCSI has a bigger mean time to failure.
 Flashdisks, realtime, netboot, live CD’s.
Asterisk Stability – Hardware Reliability
 A broken Zaptel card or a broken server ?
 Make sure you have a replacement,
(maybe even hot standby) with all the
modules you need, jumpers already set,…
Asterisk Stability – Hardware Reliability
 No Internet connectivity ?
 Spare router / modem / switch ?
 Failover Internet connection ?
 Failover to / from PSTN ?
Label all cables!!
Asterisk Stability / Quality Updates
Software related since Astricon ‘04
 Real CVS-stable / CVS-head (Thanks Russell!)
 Major cleanups / code audits.
 New h323 channel coming (chan_ooh323)
 Packet Loss Concealment
 IAX2 / SIP jitter buffer (mantis 3854)
 A lot of libpri, chan_sip, chan_h323 changes for



better compatibility / stability.
DUNDi (easier load balancing with round robin
DNS)
OSP
Kernel 2.6.11.x
Changes in hardware reliability
 New Zaptel hardware (te411p, te4xxp,
TDM, IAXy2, …).
 New drivers with a lot of bug fixes and
optimizations.
 End of life for x100p and Tormenta cards.
 Hardware echo cancellers -> lower CPU
load -> more calls it can handle before
asterisk turns unstable.
* reliability / stability recommendations
 Use decent but not exotic hardware
 Put Zaptel on a different PCI-bus than Nics and





video cards.
Read tutorials on interrupts, APIC and other
common problems.
Load test your setup
Design a failover system
Noload unused modules
Use recent firmware Zaptel cards
* reliability / stability recommendations
 Use a stable Asterisk version.
 Take a common OS -> Linux.
 Test software upgrades in a test lab.
 Stay away from experimental Asterisk
modules -> h323, skinny.
 Don’t patch production Asterisk servers.
 Keep your old Asterisk binaries after an
upgrade for easy restore of known working
versions.
Overview
 Asterisk Performance Update
 Asterisk Stability
 Asterisk server monitoring
 Asterisk Security
Asterisk server monitoring
 NAGIOS
  http://karlsbakk.net/asterisk/

http://megaglobal.net/docs/asterisk/html/as
teriskmonitor.html
 Argus: http://argus.tcp4me.com/
 SNMP: http://www.faino.it/en/asterisk.html
Overview
 Asterisk Performance Update
 Asterisk Stability
 Asterisk server monitoring
 Asterisk Security
Asterisk Security
 Asterisk Configuration stupidity
 Asterisk hardening
 Privacy protection
Asterisk Configuration Stupidity
 Dial plan security
 SIP.conf
 IAX2.conf
 Manager.conf
 Billing problems
Dial plan security
 - Extension hopping
 - CallerID based protections
 - _.
 - Demo context
 - User access to the dial plan
 - Be careful with the default context
 - Limit simultaneous calls
Extension hopping
 User can reach ANY extension in the current
context:
[internal]
exten => intro,1,Background(question);
exten => 1,spanish,Goto(Spanish)
exten => 2,english,Goto(English)
exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
CallerID based protection
exten =>
_X.,1,GotoIf($[“${CALLERIDNUM}”=“32134”?3);
exten => _X.,2,Hangup();
exten => _X.,3,Dial(${EXTEN});
 When not explicitly defined for each
user/channel in zapata.conf, sip.conf, iax.conf,
the user can choose his own CallerID!
Inappropriate use of _.
 _. Would match EVERYTHING!
(also fax, hang up, invalid, timeout,….)
Example:
exten => _.,1,Playback(blah);
exten => _.,2,Hangup;
 Causing a FAST LOOP.
(changed in CVS-head)
demo context
 Not a real security risk
 But… Someone might play with your
system and use up your bandwidth, make
prank calls to Digium, make Mark Spencer
very unhappy and cause him to introduce
you to a very big shotgun…
User access to the dialplan
 - AMP and other GUI’s might allow the
ISP’s user to change a dial plan in his own
context. E.g.: hosted PBX’s
 - Goto / GotoIf / dial(Local/…) -> context
hopping.
 - System -> could do anything
Default context
 Example:
[default]
Include outgoing;
Include internal;
OH OH OH, guest calls will go to the default
context!!!!!
Context usage:
 A call has two legs, the used context is the
context defined for that user/channel in the
config file for that protocol.
E.g:
- Zap to sip call:
context set in zapata.conf is used
- SIP to IAX2 call:
context in sip.conf is used
Context usage:
 In sip.conf, zapata.conf, iax2.conf…
A default context is defined, if there is no
specific context setting for this channel or
user, than the default context is used!
Limit simultaneous calls


Sometimes you don’t want a user to make multiple
simultaneous calls.
E.g.: prepay / calling cards
Solution: setgroup, checkgroup (don’t trust incominglimit.)
exten => s,1,SetGroup(${CALLERIDNUM})
exten => s,2,CheckGroup(1)
Only good if the CallerID cannot be spoofed !!!!
Consider using accountcode for this.
Sip.conf














Default context
Bindport, bindhost, bindip
[username] vs username=
Permit, deny, mask
Insecure=yes, very, no
User vs peer vs friend
Allowguest
Autocreatepeer
Pedantic
Ospauth
Realm
Md5secret
User authentication logic
Username= vs [username]
Bindport, bindhost,bindip
 If you only use sip for internal calls, don’t
put bindip=0.0.0.0 but limit it to the internal
IP.
 Changing the bindport to a non 5060 port
might save you from portscan sweeps for
this port.
Permit, deny, mask
 Disallow everything, then allow per user
the allowed hosts or ranges.
(Multiple are allowed.)
SIP.conf – insecure option
Insecure = …
 No: the default, always ask for authentication
 Yes: To match a peer based by IP address only



and not peer.
Insecure=very ; allows registered hosts to call
without re-authenticating, by ip address
Insecure=port; we don’t care if the portnumber is
different than when they registered
Insecure=invite; every invite is accepted.
User vs Peer vs Friend in SIP
 USER: never registers only makes calls
 PEER: can register + can make calls.
[user1]
type=user
[user1]
type=peer
Is allowed and the same as type=friend if the other
parameters are identical!!!
Allowguest=…
 True: unauthenticated users will arrive in
the default context as defined in sip.conf
 False: unauthenticated users will get a
permission denied error message.
 OSP: to allow guest access for voip traffic
coming from an OSP server.
autocreatepeer
 The autocreatepeer option allows, if set to Yes,
any SIP UA to register with your Asterisk PBX as
a peer. This peer's settings will be based on
global options. The peer's name will be based
on the user part of the Contact: header field's
URL.

This is of course a very high security risk if you
haven't got control of access to your server.
© Olle
Pedantic
 Defaults to pedantic=no
 If enabled, this might allow a denial of
service by sending a lot of invites, causing
a lot of (slow) DNS lookups.
Realm
 Realm=Asterisk; Realm for digest
authentication
; Defaults to “Asterisk"
; Realms MUST be globally unique
according to RFC 3261
; Set this to your host name or domain name
How is authentication done?

chan_sip.c: /* Whoever came up with the
authentication section of SIP can suck my
%*!#$ for not putting an example in the
spec of just what it is you're doing a hash
on. */
How is authentication done?

Look at FROM header in SIP message for the username:
-> browse sip.conf for a type=user with that username
If found -> check the md5
If not found,
-> browse sip.conf for a type=peer with that username
-> browse sip.conf for an (registered) IP where the request is coming from
if insecure=very, no more checks are done
if insecure=port, if they are willing to authenticate, even if they are calling
from a different port than they registered with. (used for NAT not using the
same port number every time).
otherwise, check the md5 + allow/deny.


If no peer found ? do we allow guest access (allowguest=true ?)
Yes? OK, allow send it to the default context, if not reject.
Secret vs md5secret
 With SIP all passwords are md5 encrypted
when sending the packets, but are stored
in plaintext in sip.conf
 [user]
 Secret=blabla
Secret vs md5secret
 echo - n "<user>:<realm>:<secret>" | md5sum
 E.g.:
echo -n "user:asterisk:blabla" | md5sum
e1b588233e4bc8645cc0da24d8cb848d
[user]
md5secret=e1b588233e4bc8645cc0da24d8cb848d
Username= vs [username]
 [username] is for authentication a client
connecting to asterisk.
Username=… is to have your asterisk server
authenticate to another SIP server.
Iax.conf
 auth=plaintext,md5,rsa
 User authentication logic
 Default context
 [username] vs username=
 Permit, deny, mask
 Bindport, bindhost, bindip
 User vs peer vs friend
iax.conf - auth
 Plaintext: passes are sent in plaintext
 Md5: encrypt the password with md5
 RSA: use public key / private key – uses
AES.
User vs Peer vs friend
 USER: can only accept calls
 PEER: can only make calls
 FRIEND: can do both
[user1]
type=user
[user1]
type=peer
Is allowed!!!
How is authentication done?

In iax2: (cvs-head!!)
Pseudocode:
Is username supplied ?
-> yes -> matched against iax.conf users starting bottom to top.
user found ?
-> yes : is IP in allowed / disallowed list ?
yes –> does password match ?
yes -> does requested context match a context=… line?
-> no -> is a password given ?
-> yes : Asterisk will look bottom to top for a user with this password,
-> if the context matches, or there is no context specified, and the
host is in the allowed lists (allow / deny) then the call is accepted.
-> no: Asterisk will look bottom to top for a user without password.
-> if the context matches, or there is no context specified, and the
host is in the allowed lists (allow / deny) then the call is accepted.
USERNAME ?
USER
FOUND?
YES
YES
IP ALLOWED?
NO
YES
PW MATCH?
NO
YES
CONTEXT
OK?
NO
YES
NO
NO
CALL REFUSED!
PASS
GIVEN ?
USER FOUND WITH THIS
PASSWORD ?
YES
YES
IP ALLOWED?
NO
YES
NO
CONTEXT
OK?
YES
CALL
ACCEPTED!
NO
NO
CALL REFUSED!
USER FOUND WITH
EMPTY PASSWORD ?
YES
IP ALLOWED?
YES
NO
CONTEXT
OK?
YES
CALL
ACCEPTED!
NO
NO
CALL REFUSED!
CALL
ACCEPTED!
 Add a last entry in iax.conf with no
password to force nosecret access into a
specific context.
 If you use realtime, don’t have any user
without a password and without
permit/deny.
Manager.conf
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
[zoa]
secret = blabla
deny=0.0.0.0/0.0.0.
permit=221.17.246.77/255.255.255.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
Manager.conf
 No encryption is used, even the password
is sent in plaintext.
 Don’t enable it on a public IP.
 Use http://www.stunnel.org/
 Watch out with management programs
with direct interface to the manager.
 Limit the privileges per user (especially the
system!!!).
Asterisk Security
 Asterisk Configuration stupidity
 Asterisk hardening
 Privacy protection
Asterisk Hardening











Asterisk as non-root user
Asterisk in CHROOT
Asterisk in a JAIL
Asterisk with limited read / write permissions
ZAPTEL kernel modules
Asterisk firewalling / shaping / NAT
Tty9
Linux hardening
Remote logging
Tripwire
Limit running system processes
Asterisk as non root user
adduser --system --home /var/lib/asterisk --no-create-home Asterisk
chown -r asterisk:asterisk /var/lib/asterisk
chown -r asterisk:asterisk /var/log/asterisk
chown -r asterisk:asterisk /var/run/asterisk
chown -r asterisk:asterisk /var/spool/asterisk
chown -r asterisk:asterisk /dev/zap
chown -r root:asterisk /etc/asterisk
chmod -r u=rwX,g=rX,o= /var/lib/asterisk
chmod -r u=rwX,g=rX,o= /var/log/asterisk
chmod -r u=rwX,g=rX,o= /var/run/asterisk
chmod -r u=rwX,g=rX,o= /var/spool/asterisk
chmod -r u=rwX,g=rX,o= /dev/zap
chmod -r u=rwX,g=rX,o= /etc/asterisk
chown asterisk /dev/tty9
su asterisk -c /usr/sbin/safe_asterisk
or
Asterisk -U asterisk -G asterisk
Asterisk with limited read / write permissions
 Asterisk has no write permissions for its
config files and is running as non root ?
 In the unlikely event of someone breaking
in through Asterisk, your dial plan is still
vulnerable through the CLI or the
manager.
Asterisk in chroot
 Changes the root directory visible to
asterisk to e.g. /foo/bar
 Pretty useless if asterisk is running as root
and perl or gcc is available.
Asterisk in a jail
 Changes the root


directory visible to
Asterisk.
Limits the commands
/ programs any user
in this jail can execute
to a list you specify.
Expansion of chroot.
Zaptel kernel modules
 Zaptel is module only, cannot be put into the
kernel.
 Hackers like to hide in a module, they can
backdoor a module, compile it, load it in memory
and remove all traces on the disk.
 You could have the kernel check an md5 for the

Zaptel modules.
I think Matt Frederickson compiled them in the
kernel before.
Firewalling / shaping / NAT
 Block everything except the ports you
really want. (5060, 4569, …)
 RTP ports are a big pita (see rtp.conf)
Sidenote: you might want to check your ISP
is not blocking anything in the range
defined in RTP.conf
Limit access to tty9
 safe_asterisk opens a console on tty9.
This does not require a password and will
provide a root shell to anyone passing by.
(by using !command on the CLI).
 Remove the offending line, or don’t use
safe_asterisk
Linux Hardening
 GRsec (2.6.x)
 Openwall (2.4.x)
 Remove all unneeded things.
Remote logging
 Remote syslog
 Put Asterisk log files (and other log files on
a remote server).
Tripwire
 Make hashes of all the important files on
the server and check them for changes
you didn’t do.
Limit server processes
 An Asterisk server should be only:
-
OS + ASTERISK.
No database
No APACHE
No PHP
(If you really need those, and don’t have enough
servers, don’t put them on a public IP and
firewall them!!!!)
Asterisk Security
 Asterisk Configuration stupidity
 Asterisk hardening
 Privacy protection
Asterisk privacy
 Encryption
 Monitoring
 CallerID spoofing
 CallingPRES
Call Encryption - SIP
 SRTP -> method to encrypt voice packets.
 TLS -> method to encrypt signaling
packets.
Both are not yet supported by asterisk.
Bounty on voip-info.org.
Call Encryption – IAX2
 30/12/2004 2:07
Modified Files: chan_iax2.c iax2-parser.c
iax2-parser.h iax2.h Log Message: Minor
IAX2 fixes, add incomplete-but-verybasically-functional IAX2 encryption.
It would support any type of encryption you
like. -> Doesn’t work yet.
Call Encryption – General solution
 Send you packets through a VPN or
tunnel.
 Use only UDP tunnels to avoid delays.
Known to work:
IPSEC, VTUN, OPENVPN.
Call Encryption – Tunnel solution
Advantage, CPU expensive encryption
can happen on dedicated machine.
 Disadvantage: doesn’t work on
hardphones or ATA’s without adding an
extra server in front of them.
Monitoring
 ZapBarge
 ChanSpy
 Monitor
Download