For hackers, Asterisk is a honeypot as having gained access to your trunk they can call all over the world at your expense.
In the course of our work experience, we have seen dozens of hacks, and each hack results in a check from a provider for dozens to thousands of dollars. All these cases took place because of the same reason — negligence and violation of some simple safety rules. That's why today we'd like to share with you some advice on how to protect your data and thereby save your time, nerves, and money.
What is the harm?
First of all, hackers shoot for free calls. The worst thing is that it is quite difficult to recognize a hack. It can be done either by constant monitoring of the calls flow in real-time — which, of course, no one does — or after the hack judging by an empty account. Typically, hackers attack after hours, on weekends, and during the holiday season. Thus, it can take from several hours to several days for the PBX owner to notice that it was hacked. This time is enough for the hackers to spend a significant amount of money and create a bill that, in the end, will still be paid by the PBX owner.
However, many providers have a system that analyzes client traffic and notifies the provider of suspicious calls, which allows their clients to block hackers right away.
What causes an attack?
Most often, hackers attack a PBX that can be accessed from a public network. Here is the list of typical user errors: too simple password, open SIP port, poorly configured firewall, and lack of proactive protection.
How to protect oneself?
There are three levels of protection:
1. Protecting connectable devices. First of all, you need to set rules for accessing SIP trunk — Access Control List (ACL). In essence, it limits IP addresses that can get and transmit data. To do that, go to SIP settings and set permit/deny rules, for example:
2. Reinforcing access rules. This step refers to configuring the firewall that restricts remote access to Asterisk. It is very important to configure the rules so that it limits access to PBX in all directions. Follow the rule: prohibit everything, allow only the needed minimum. It is better if traffic can only go through the office IP address and come from operators' IP addresses.
3. Setting up proactive defense. In the FreePBX distribution package by Sangoma, there is a preinstalled Fail2Ban software. In other distribution packages, one can install it from repositories. However, its basic settings are quite sparing, and it is worth tightening them for greater security.
The app scans the logs on the PBX server in the online mode, and when it detects repeated attempts to enter wrong password, it blocks the addresses that are related to the attempts. It is important to note that on the Asterisk server, the logging must be configured so that one could get a security log.
For instance, you can limit the number of attempts to enter a password to three times. It means, that after the third incorrect attempt to enter the password, even if the one who enters it is the PBX owner, the program will block the related IP address. However, the app allows adding exceptions to your subnets.
Two-stage blocking can significantly reduce the risk of hacking:
-
the system blocks the IP address for several hours after each third attempt to enter the wrong password;
-
the program keeps monitoring the log, and if the same IP address gets blocked several times in some time, it is blocked for a week/month/year, as set by the user.
Let us emphasize it once again: the fewer times someone can enter a password, the less the risk.
Bonus
If your company does not use long-distance or international calls, give up these options on the side of your provider, so that even if you get hacked, you can avoid major losses.
What to do if you got hacked anyway?
First of all, you need to call your operator and find out the IP address from which the suspicious calls were made. If it turns out that it does not belong to you, ask your provider to change your password. Also, it is necessary to investigate the logs and find out the reason why you were hacked. For example, the intruders could have stolen your credentials. Then, you need to find out how it happened and act appropriately.
If you do not have the time or technical means to keep track of security settings yourself, entrust it to experts. Order the FreePBX security audit and configuration package, and we will take care of all technical issues.
