Installing

Login

Update

Configuring

How To

User Features

Security Issues

Documentation bullet Security Issues regarding FreeSentral

This article gives you insight to some VoIP problems for an IP PBX such as theft of services, denial of services and eavesdropping and presents specific security problems that may happen in FreeSentral.

1.  IP PBX

Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the functionality of the IP PBX.

A network attack that keep users or devices from accessing the network is a denial of service(DoS). Such attacks are inevitable and are almost impossible to avoid because of their changing nature.

Eavesdropping is a form of hacking for obtaining names, passwords and telephone numbers. This leads to gaining control over the voice mail, call plans and other features. The theft of services is a direct consequence of eavesdropping.

Service theft is another serious security issue that implies hacking the system and using IP PBX services by unauthorized users and/or stealing its' services.

The issues above are just few of the IP PBX security problems. You can avoid some of them by increasing the network security level. The first step is to verify the extension and/or the IP. If those are recognized by the IP PBX as belonging to the network, then the call is authorized. But if you need, for some reason, to allow anonymous calls, FreeSentral will check if the caller ID or IP is recognized by the server (known extension, group or DID). This is a useful technique when wanting to prevent DoS or service theft.

To see the protections added in Freesentral for this issues and how you can protect your network continue reading the below points.

2.  User Access

Web access for users is secured by using https. The number of failed logins is unlimited so they can try to login until they succeed. You can see the failed attempts in the Logs section.

3.  Passwords

Here are some facts about passwords in FreeSentral:

  1. Admin's password is very important when wanting to properly secure the system. If the admin's account is broken into, then the hacker can easily create new accounts and/or use Impersonate for existing accounts. The first thing you should do it's to change the admin password.
  2. When exporting extensions the passwords are exported unencrypted. It is very important that the files containing these informations not to fall in the hackers' hands. This could break in a major security problem.

4.  International calls protection

In case an user account was breached, the majority of the theft of service attacks result in a high number of international/expensive calls being made from that account. Freesentral includes protection for this attacks. In case specified limits for international calls are passed international calls are disabled and all international calls are rejected until administrator enables them again. Read more about this here.

5.  Gateways

Another possible attack uses the IP PBX's gateways. Malicious hackers can take control of the gateways and use them to make free phone calls. This situation can occur if “Trusted” is enabled for the VoIP provider.

For better security, support for TLS connections between Freesentral and SIP gateways was added. To use it, set Transport to TLS when defining a gateway.

6.  Denial of service attacks

To cope with DOS attacks a global script: banbrutes.php was added that drops traffic from ip address that send to many requests. In order to use it you need to run yate as root and have iptables installed on the server.

7.  Visibility into “what's going on”

Supporting modules such as “RManager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works. By using telnet and appropriate debugging commands you can notice what calls are handled, the caller ID and/or phone number and other useful information. You can see a part of a SIP message when using debugging as shown in the next frame:

 
 ------ 
 <sip:INFO> Received 525 bytes SIP message from 10.0.0.1:5060 
 ------ 
 SIP/2.0 401 Unauthorized 
 Via: SIP/2.0/UDP 10.0.0.17:5060;rport=5060;branch=z9hG4bK1128016479;received=10.0.0.17 
 From: <sip:091@elder.null.ro>;tag=816519612 
 To: <sip:091@elder.null.ro> 
 Call-ID: 529868862@elder.null.ro 
 CSeq: 1567 REGISTER 
 WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", 
                   stale=FALSE, algorithm=MD5 
 Server: YATE/2.1.0 
 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, 
        NOTIFY, PUBLISH 
 Content-Length: 0 

The “Logs” section lists the users' names, their actions and also the changes made by admins and users. See the screen shot in “User access”.

8.  OS Distribution

A common mistake when analyzing existing security problems is to overlook problems created by the OS distribution. If the operating system is vulnerable then the IP PBX is vulnerable. A weak OS security system will surely be easy to pass when a laborious hacker has just that in plan.

Security Package

The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2010's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level. Msec has a graphical user interface(msecgui) or one can use the command line “msec -f” to configure security levels:

using msecgui command:

As you can see, msec detects the security level. Setting the level is directly connecting to enabling/disabling msec.

In the capture below notice the MSEC tool is disabled.

using msec -f command:

9.  Keep in mind

The network architecture, the security protocols used, the users interaction and the OS distribution have a huge impact on the way FreeSentral works. You may as well give free access to everybody if just one of these is ignored, inaccurate analyzed or improperly configured.

Documentation