A possible way to thwart SIP hack attempts on your Asterisk (or other) PBX server

If you’ve had the problem of hackers trying to break into your Asterisk server, you probably know that you can use tools like Fail2ban to at least slow them down.  But why let them know you even have an Asterisk server in the first place?  Maybe you need to leave port 5060 open so that remote users (not on your local network) can connect to the server, but that doesn’t mean that you have to advertise to the bad guys that you might have something of interest.  With that in mind, we direct your attention to this post in the DSLReports VoIP forum:

The Linux netfilter/iptables firewall is capable of stopping these attacks before they even start.

At a bare minimum, this stops 99% of the attacks when added to your iptables ruleset:

-A INPUT -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:your.pbx.dns.name" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -j ACCEPT

Warning
IMPORTANT: Be sure to have a separate iptables rule (higher on the list than those above) that allows connections to port 5060 from devices on your local network. Otherwise, you may find that new extensions that you are adding for the first time will not register with your Asterisk server, or that after a system reboot, none of your local extensions will register!

To understand how this works, read the original post by DSLReports user espaeth.

For another line of defense against such attacks, see the article Stop SOME SipVicious attacks from reaching your Asterisk, FreeSwitch, YATE, etc. PBX server.

Link: Securing Your Asterisk VoIP Server with IPTables

Now that you have set up your personal Asterisk® server, it’s time to secure it. I can’t overstate the importance of this step. Without it, you could be leaving your server’s VoIP and SSH ports open for anyone on the Internet, which is a very bad idea and may cost you a lot of money.

Full article here:
Securing Your Asterisk VoIP Server with IPTables (Lin’s Tech Blog)

Why you can’t get SRTP encryption to work between Asterisk and your VoIP adapter or phone

Some recent versions of Asterisk (Asterisk 11 in particular) have built-in SRTP support of sorts. As Wikipedia notes,

The Secure Real-time Transport Protocol (or SRTP) defines a profile of RTP (Real-time Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. It was developed by a small team of IP protocol and cryptographic experts from Cisco and Ericsson including David Oran, David McGrew, Mark Baugher, Mats Naslund, Elisabetta Carrara, James Black, Karl Norman, and Rolf Blom. It was first published by the IETF in March 2004 as RFC 3711.

In simple terms, SRTP encrypts the audio of your VoIP calls, making it much more difficult for anyone with a packet sniffer to listen in.

Let’s say you have an Android-based tablet and you are running CSipSimple. If you have configured it as an extension off your Asterisk 11 server, and you turn SRTP on in the security settings, you will likely find that outgoing calls work fine but incoming calls do not.  The reason is that you need to add one line to the extension’s configuration settings in Asterisk:

encryption=yes

If you are using FreePBX then it’s only a bit more complicated.  You’d need to add two lines to the /etc/asterisk/sip_custom_post.conf file:

[####](+)
encryption=yes

Replacing #### with the extension number. Once you have done this and reloaded Asterisk, it will only communicate with the endpoint using SRTP.

BUT there is one problem here.  With some other VoIP devices and softphones, once your have enabled SRTP, any attempt to place an outgoing call will not work.  And, if you watch the Asterisk CLI, you may see lines similar to this:

[2013-12-19 08:18:57] NOTICE[2949][C-000005e9]: sip/sdp_crypto.c:255 sdp_crypto_process: Crypto life time unsupported: crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6aV+PFYMnVJVUZuxug9EM5yefPnfOrNhHcKLSABE|2^20
[2013-12-19 08:18:57] NOTICE[2949][C-000005e9]: sip/sdp_crypto.c:265 sdp_crypto_process: SRTP crypto offer not acceptable
[2013-12-19 08:18:57] WARNING[2949][C-000005e9]: chan_sip.c:10454 process_sdp: Rejecting secure audio stream without encryption details: audio 17100 RTP/SAVP 0 8 18 104 101

The problem is that in Asterisk, “any SRTP offers that specify the optional lifetime key component will fail”, as is detailed in this submitted patch to Asterisk:

(ASTERISK-17899) [patch] Adds a ‘ignorecryptolifetime’ (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional ‘lifetime’

If if the device or softphone had a setting to disable sending the lifetime parameter, it probably would work. If users would go through the trouble of applying this patch to Asterisk, it would probably work, but many users either don’t know how to do that, or they are running a pre-built distribution and don’t want to or cannot tamper with it (also, any upgrades to Asterisk thereafter would require re-application of the patch). If Digium would apply this patch to Asterisk and push it out in upgrade releases, it probably would work. But for whatever reason, though this patch was first posted back in May of 2011, Digium has not seen fit to roll it into Asterisk.

So, this may very well be the reason, or at least one of the reasons, why you can’t get SRTP encryption to work between Asterisk and your VoIP adapter or phone! Basically, your VoIP device or softphone and Asterisk just don’t want to play nice with each other.

We’ve heard that some other varieties of PBX software, such as FreeSWITCH, might not have this issue, but since we don’t have a working FreeSWITCH installation at the moment we cannot comment on that.

Link: How to Install and Configure UFW – An Un-complicated FireWall in Debian/Ubuntu

The ufw (Uncomplicated Firewall) is an frontend for most widely used iptables firewall and it is well comfortable for host-based firewalls. ufw gives a framework for managing netfilter, as well as provides a command-line interface for controlling the firewall. It provides user friendly and easy to use interface for Linux newbies who are not much familiar with firewall concepts.

While, on the other side same complicated commands helps administrators it set complicated rules using command line interface. The ufw is an upstream for other distributions such as Debian, Ubuntu and Linux Mint.

Full article here:
How to Install and Configure UFW – An Un-complicated FireWall in Debian/Ubuntu (TecMint)

Links: Raspberry Pi / Linux security series

While this series is intended specifically for Raspberry Pi users, anyone new to Linux that would like to know how to secure their system would likely benefit from reading these articles from “The Unwritten Words”:
Raspberry Pi: Initial Setup (Security – Part I)
Raspberry Pi: iptables (Security – Part II)
Raspberry Pi: fail2ban (Security – Part III)

Link: How to Bake an Onion Pi (Tor proxy on Raspberry Pi)

Feel like someone is snooping on you? Browse the web anonymously anywhere you go with the Onion Pi Tor proxy. This is a cool weekend project that uses a Raspberry Pi mini computer, USB wi-fi adapter, and Ethernet cable to create a small, low-power, and portable privacy Pi.

Full article here:
How to Bake an Onion Pi (Make)

Link: Transfer Files Securely Using SCP in Linux

The most common way to get terminal access to a remote Linux machine is to use Secure Shell (SSH). To work, the Linux server needs to be running a SSH server (OpenSSH) and at the other end you need a SSH client, something like PuTTy in Windows or the ssh command line tool on Linux or other Unix-like operating systems such as FreeBSD.

The attraction of SSH is that the connection between the two machines is encrypted. This means that you can access the server from anywhere in the world safe in the knowledge that the connection is secure. However the real power of SSH is that the secure connection it provides can be used for more than just terminal access. Among its uses is the ability to copy files to and from a remote server.

Full article here:
Transfer Files Securely Using SCP in Linux (Make Tech Easier)
Related:
12 scp command examples to transfer files on Linux (BinaryTides)

How to easily switch between your normal DNS service and Tunlr under OS X

[notice]The use of services such as Tunlr, that provide access to geographically-blocked websites and services you might not normally be able to access, may be illegal in some jurisdictions.  We are not lawyers, so cannot comment further on this.  You are responsible for knowing your local laws.[/notice]

Tunlr is a service that describes itself as follows:

Do you want to stream video or audio from U.S.-based on-demand Internet streaming media providers but can’t get in on the fun because you’re living outside the U.S.? Fear not, you have come to the right place. Tunlr lets you stream content from sites like Netflix, Hulu, MTV, CBS, ABC, Pandora and more to your Mac or PC. Want to watch Netflix or HuluPlus on your iPad, AppleTV or XBox 360 even though you’re not in the U.S.? Tunlr lets you do this.

If you are in the U.S., Tunlr may allow you to access certain sites in Great Britain and elsewhere in Europe.  It does not yet allow access to sites in Canada (pity).  Again, we are specifically not saying that it is legal to to this, since were are not lawyers and cannot give legal advice.

You utilize Tunlr by setting your computer’s or router’s DNS addresses to Tunlr, but Tunlr does not want you to do this except when you are actually accessing content.  As their FAQ explains:

Why you shouldn’t set your DNS permanently to Tunlr

For speed, stability, privacy and security reasons we do not recommend to permanently set your computer’s or router’s DNS addresses to Tunlr. Setting the DNS permanently to Tunlr also puts a heavy strain on Tunlr’s network infrastructure. In order to render the permanent use of our DNS resolvers less attractive, we’re artificially delaying responses to DNS queries. What this means is that your Internet surfing experience will be a lot slower than if you’d just use your Internet service provider’s DNS resolver. However, your ability to download/stream audio or video content is not affected by this delay. To sum it up: do not use our DNS resolver for day to day web surfing.

The FAQ shows “links for more ideas about how to temporarily use our DNS resolver” and they do show some suggestions for OS X, but at this writing none of those links show the easiest way.  When you use the method described below, you will be able to simply click on the Apple logo in the top menu bar and select Tunlr as your DNS, or switch from Tunlr back to your usual DNS, like this:

Selecting Tunlr DNS from the Apple dropdown menu
Selecting Tunlr DNS from the Apple dropdown menu

Note that when you switch DNS servers in OS X your network connection will be momentarily interrupted, so you probably don’t want to do this while you have downloads or uploads in progress.

So, how do you set this up?  It’s relatively simple.  Go To System Preferences (which is another selection in the Apple menu shown above), and when it comes up, in the Internet & Wireless section click on Network.  You should then see a screen similar to this:

System Preferences | Network settings
System Preferences | Network settings

This image is from a system with only a wired ethernet connection – you may see additional connections. But in the left-hand menu you want to select the connection you’ll be using while using Tunlr, which is probably your wired (en0) connection unless you use wireless exclusively.

Before you go any further, click the Advanced button in the lower right corner, then on the next screen click the Proxies tab at the top:

Advanced Network settings, Proxy tab
Advanced Network settings, Proxy tab

What you want to see is what’s currently in the “Bypass proxy settings for these Hosts & Domains” text box.  If there is anything in that box, copy it and save it somewhere – you can open a TextEdit window and paste it in there temporarily if necessary.  Next, at the top, click on the Location dropdown and it should give you the option to Edit Locations, so select that:

Adding a new location
Adding a new location

Next you should see a popup window showing your existing locations:

Popup to add new locations
Popup to add new locations

Click the + in the popup and it should let you enter a new location, so enter Tunlr:

Adding new Tunlr location
Adding new Tunlr location

Click Done and the new location will be added. At this point it is not configured so you will likely be thrown offline, and you’ll see something like this:

New Tunlr location created but not yet configured
New Tunlr location created but not yet configured

Next click the Advanced button and go to the DNS tab, then click on the + and add the two Tunlr DNS addresses (69.197.169.9 and 192.95.16.109) as shown here:

Network settings, DNS tab with Tunlr proxies entered
Network settings, DNS tab with Tunlr proxies entered

After adding the two Tunlr proxies, click OK and then click Advanced again and go to the Proxies tab. What you want to do here is paste in any proxy information you copied from your original network connection back into the “Bypass proxy settings for these Hosts & Domains” text box.  So, copy that from TextEdit or wherever you saved it and paste it in here — it should look exactly as it did for the original connection:

Advanced Network settings, Proxy tab
Advanced Network settings, Proxy tab

Click OK and you should be taken back to the main Network settings window. Now it should show the two Tunlr DNS addresses:

Network settings, Tunlr location with Tunlr DNS addresses configured
Network settings, Tunlr location with Tunlr DNS addresses configured

The last thing to do is click Apply, which should enable the Tunlr location and start using the Tunlr DNS:

Network settings, Tunlr location configured and connected
Network settings, Tunlr location configured and connected

Note that the dot next to your network connection should have changed from yellow to green. Now open your web browser and go to the Tunlr status page (you can just click on that link). You are looking for the section near the bottom of the page headed Tunlr activation check, which should tell you whether or not Tunlr is activated.

Note that even if it says that you need to restart your device or computer after you change the DNS address, that is NOT true when you use this method.  Instead, when you want to access geographically-locked content that Tunlr knows about, you simply go to the Apple menu and select the Tunlr location, and when you are done accessing that content you go back the the same menu and select the Automatic location (or whatever your default location is called). Just keep in mind that any time you change locations, any in-progress communications (downloads or uploads) will be interrupted, and depending on the software and/or protocols used, you may need to restart those connections.

Link: How To Set Up Tunlr DNS Under Linux To Access Netflix, Hulu, CBS, ABC, Pandora and More Outside The US

Tunlr is a free DNS service that lets you use U.S.-based on-demand Internet streaming providers, such as Netflix, Hulu, CBS, MTV, ABC, Pandora and more, if you’re living outside the U.S. At the time I’m writing this article, Tunlr reports that the following streaming services are working:

  • US video streaming services: Netflix, Hulu, CBS, ABC, MTV, theWB, CW TV, Crackle, NBC, Fox, A&E TV, TV.com, Vevo, History, Logo TV, Crunchyroll, DramaFever, Discovery, Spike and VH1;
  • US audio streaming services: Pandora, Last.fm, IheartRadio, Rdio, MOG, Songza;
  • Non-US streaming services: BBC iPlayer (excluding live streams), iTV Player, NHL Gamecenter Live and TF1 Replay / WAT.tv (excluding “direct” stream).
In my test, Tunlr has worked as advertised, but there’s one issue: using Tunlr DNS permanently is not a good idea: for privacy/security reasons, speed and so on. Even the Tunlr FAQ page says you shouldn’t use the Tunlr DNS for every day web surfing. On Windows, there are some tools you can use to quickly switch the Tunlr DNS on/off, but there’s no such tool for Linux, so here’s how to properly use Tunlr under Linux.

Full article here:
How To Set Up Tunlr DNS Under Linux To Access Netflix, Hulu, CBS, ABC, Pandora and More Outside The US (Web Upd8)