Elastix Security

Securing, Prevention, Monitoring

Security Reality the hard facts

No IP PBX system is going to be 100% secure

You cannot guarantee the system is 100% secure to a client or to your company.

The costs of achieving close to 100% Security are exponential.

The Security of the system is as strong as your weakest link.

Toll Fraud - A growing issue

Toll fraud is increasing & is a multi-billion dollar industry Toll Fraud is committed by highly organised criminal elements

IP PBX systems are contributing heavily to this toll-fraud.

Toll Fraud is not new, just the techniques and methods and tools are evolving at a greater rate than before

Toll Fraud what is the potential damage?

Between $20,000 and $150,000+ depending on when the issue is realised and how many voice channels you have. Further costs to the business, requiring shut down of the PBX while investigating the issue and loss of consumer confidence

Loss of Business confidence in a tool that is critical to the business. You might be thinking who actually is responsible for the cost? In most cases a simple answer, the IP PBX owner is fully responsible for the calls that his system makes.

What do they gain from Toll Fraud?

Revenue from Calling Cards. There are so many of these phone cards, you could unwittingly purchase one and never know.

Revenue from selling your gateway details on the street. Quite often called a montebello or a good number

The challenge. Some of these hacks are done for the fun of it. To prove themselves

Toll Fraud - Highly organised & Smart

They generally know when you are not using the system. Many attacks commence on Friday nights, running through the weekend They are also holiday aware, knowing that limited staff are working

Coincidentally, holiday season is when many people want to call back home, so an increased demand in low cost calls.

A Quick Analysis of an Attack: SIP Port Probe

They probe your open ports on your router A simple readily available tool scans for Port 5060 (SIP Port) They build a database of IP addresses where Port 5060 is open.

A Quick Analysis of an Attack: Extension Harvest

Using the database of open, responsive SIP Ports

Looks for a response from a live extension, Note the ports not in the list, such as 987, 988,989,990

A database of live extensions is compiled against Open SiP ports

A Quick Analysis of an Attack: Dictionary Attack

Attempting to register at Ext 987 using a dictionary attack.

Finally guessing a correct password and registering.

A Quick Analysis of an Attack Quick Facts

They know the tricks of adding a couple of numbers to the end of passwords

It can be a combination of number generator and/or a database of common words used as passwords. It keeps trying until it successfully registers. On a standard ADSL line - Extension harvest 80 extensions a second. - Dictionary attack 60 passwords per second. - The entire Oxford dictionary could be completed in just over 3 hours.

Summary

SIP Hacking Tools are readily available and for free. SIPVicious is one such tool. Toll Fraud costs money, and can happen to anyone. Securing, Prevention, Monitoring is of the utmost importance.

Securing - Extension Security

Do not use simple words even with a couple of numbers on the end. Do not use extension number as password Passwords like Hy7g6#8!9pWe are good Use the Permit/Deny for each extension Remote Extensions require them to use a static IP address or at least via VPN Change the SIP Port for the phone / Extension

Securing - Remote Extensions

Recommend the remote extensions use a static IP address.

Look at phones that have a built in VPN Client like the Yealink T28 for remote phones

If you are using SoftPhones on a laptop, then recommend a VPN Client to connect to office.

Securing - Elastix PBX Security

Use complex passwords Since Elastix 2.0, you set the passwords at install time Dont use the same password for root, MySQL, FreePBX & Add-on products Strongly recommend against implementing DISA unless absolutely required. Anonymous SIP turn it off if you dont need it.

Modify the port for SSH. Its a quick simple change with little impact to your system access

Securing Network Firewall Security

Dont just open SIP/RTP Ports, check to see if you need them open first. Not all Firewall/Routers are the same Take the time to understand and test your choice of Router/Firewall If the router/firewall has VPN capability, use it. If it doesnt, consider implementing OpenVPN

Securing - Elastix Firewall

Elastix 2.2 will have a built in Firewall GUI Basically a GUI Wrapper around IPTables. Preconfigured with most ports covered used by Elastix

Visually easier to understand than manually configuring IP Tables

One of the best, simple Firewall GUIs I have seen in many years.

Securing - Trunk Security

Look for Voice Providers that can provide a trunk via a VPN (e.g. OpenVPN) Consider using IAX Trunks between offices, and further securing them with RSA keys Take the time to understand Trunks and what each configuration line means to your security.

Prevention Dont Install applications!!

Products that are not part of base IP PBX requirements should not be installed. Webmin is a perfect example, not that it is insecure, but in the hands of the unknowing, it can easily make the Elastix system insecure. Installing a Public FTP Server is another example. This can be used an entry point and installation of root toolkit

Prevention Change Control

Change control is the management of changes to the Elastix System and its environment To be involved or informed if changes are made made to Elastix or its environment.

It can be as complex or as simple as you want

Prevention - Use a VPN

Make it mandatory that all remote work on an Elastix system is done via VPN.

If your Router/Firewall does not support a VPN, then implement OpenVPN.

There is really no excuse to open the ports on the router/firewall.

Prevention Outbound options

New feature in Elastix 2.2/FreePBX 2.8 Limit International calls after hours. Whilst this would not stop them making calls during the day, it limits your exposure. Limit the International destinations This is a simple method that will limit your exposure. Dont use a blanket outbound international route choose your countries

Prevention - SIP Provider Daily Cost Limits

Select a Voice Provider that can set a limit per day or per month on call costs. Still allows calls in when over your limit Greatly limits your possible monetary liability Gives you a very clear idea that something is wrong when you cant make calls out.

Monitoring - Regular Maintenance

Implement Regular Maintenance Time frame will be dependent on other security measures in place Test SIP Port access from external locations Check logs Check CDR logs for any unusual events

Monitoring - Log review

Regularly review the logs Review the logs when any unusual event occurs (e.g. calls with nobody there, ringing individual extensions, extensions going offline)

Look at the following logs /var/log/messages /var/log/secure /var/log/full

Monitoring - Humbug

Humbug now part of addons for Elastix 2.2+ Low cost (starting from $4.99 per month to monitor key call indicators Blacklist Alerts, Long Distance Alerts, via email, SMS, etc.

Monitoring - Router/Firewall Log Review

As part of any organisation, log reviews should be standard part of operation.
Review for scans on Firewall on ports 5060

Review for scans on SSH port 22.

If non-successful attacks are happening, use it as a guide to increase checks on the Elastix Logs.

Monitoring Via Network Management

Simple Visual tools Cacti Munin Wireshark Custom Scripts

Open Source Nagios Opsview OpenNMS Zenoss

Other Products HP Openview Opmanager LogicMonitor Almost any NMS supporting SNMP

Monitoring Who pays for it?

Sell maintenance contracts to your clients Typically charge 1 or 2 hours per month Review the logs and other housekeeping Sell Monitoring Contracts to your clients Monitor for unusual activity Monitor for High Bandwidth Usage Monitor for trunk over subscription Monitor Connectivity / Phones online Provide monthly graphs Sell Security Reviews (even for non-clients) Perform Log check Review Firewall/Router setup Attempt external penetration test Recommend improvements to security

Security - Common Mistakes

No time is quoted for Security review after implementation or IT person is so excited after getting things working, Security is not considered important Thinking it wont happen to me syndrome

Installing other software on Elastix system Having multiple implementation Vendors, one for Elastix, one for Firewall/router, another implementing the SIP Trunk No one takes responsibility

How can I implement some of these suggestions

Review this Presentation again in your own time Think holistically about your security dont concentrate on just one area or tool Always think of three layers of security as a minimum E.g. Router/Firewall (maybe not under your control) Elastix Firewall (under your control) Fail2ban (under your control) Complex passwords on Extensions (under your control)

Elastix Security - More info

Security Forum at www.Elastix.org

Blogs & Papers at www.Elastix.org

Application Notes for:

Fail2ban
Humbug Elastix Firewall Enabling SNMP Nagios/Opsview implementation From www.Elastixconnection.com

Application Note releases and updates are posted on twitter @ElastixBob

Any Questions?