This article gives you insight to some VoIP problems for an IP PBX such as theft of services, denial of services and eavesdropping and presents specific security problems that may happen in FreeSentral.
On this page... (hide)
Problems such as those mentioned above have a great probability to occur in every IP PBX. These problems are severe security issues and their consequences affect the functionality of the IP PBX.
A network attack that keep users or devices from accessing the network is a denial of service(DoS). Such attacks are inevitable and are almost impossible to avoid because of their changing nature.
Eavesdropping is a form of hacking for obtaining names, passwords and telephone numbers. This leads to gaining control over the voice mail, call plans and other features. The theft of services is a direct consequence of eavesdropping.
Service theft is another serious security issue that implies hacking the system and using IP PBX services by unauthorized users and/or stealing its' services.
The issues above are just few of the IP PBX security problems. You can avoid some of them by increasing the network security level. The first step is to verify the extension and/or the IP. If those are recognized by the IP PBX as belonging to the network, then the call is authorized. But if you need, for some reason, to allow anonymous calls, FreeSentral will check if the caller ID or IP is recognized by the server (known extension, group or DID). This is a useful technique when wanting to prevent DoS or service theft.
To see the protections added in Freesentral for this issues and how you can protect your network continue reading the below points.
Web access for users is secured by using https. The number of failed logins is unlimited so they can try to login until they succeed. You can see the failed attempts in the Logs section.
Here are some facts about passwords in FreeSentral:
In case an user account was breached, the majority of the theft of service attacks result in a high number of international/expensive calls being made from that account. Freesentral includes protection for this attacks. In case specified limits for international calls are passed international calls are disabled and all international calls are rejected until administrator enables them again. Read more about this here.
Another possible attack uses the IP PBX's gateways. Malicious hackers can take control of the gateways and use them to make free phone calls. This situation can occur if “Trusted” is enabled for the VoIP provider.
For better security, support for TLS connections between Freesentral and SIP gateways was added. To use it, set Transport to TLS when defining a gateway.
To cope with DOS attacks a global script: banbrutes.php was added that drops traffic from ip address that send to many requests. In order to use it you need to run yate as root and have iptables installed on the server.
Supporting modules such as “RManager” and the “Logs” section gives the admin adequate visibility into how FreeSentral works. By using telnet and appropriate debugging commands you can notice what calls are handled, the caller ID and/or phone number and other useful information. You can see a part of a SIP message when using debugging as shown in the next frame:
------ <sip:INFO> Received 525 bytes SIP message from 10.0.0.1:5060 ------ SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 10.0.0.17:5060;rport=5060;branch=z9hG4bK1128016479;received=10.0.0.17 From: <sip:email@example.com>;tag=816519612 To: <sip:firstname.lastname@example.org> Call-ID: email@example.com CSeq: 1567 REGISTER WWW-Authenticate: Digest realm="Yate", nonce="578c75c4dac3859a4ce169a9e585aa0e.1266844943", stale=FALSE, algorithm=MD5 Server: YATE/2.1.0 Allow: ACK, INVITE, BYE, CANCEL, REGISTER, REFER, OPTIONS, PRACK, INFO, SUBSCRIBE, MESSAGE, NOTIFY, PUBLISH Content-Length: 0
The “Logs” section lists the users' names, their actions and also the changes made by admins and users. See the screen shot in “User access”.
A common mistake when analyzing existing security problems is to overlook problems created by the OS distribution. If the operating system is vulnerable then the IP PBX is vulnerable. A weak OS security system will surely be easy to pass when a laborious hacker has just that in plan.
The security package of the OS distribution can be improperly configured. For instance, msec is Mandriva 2010's security package for controlling and managing the system security. If, by mistake, you set the level as “none”, msec will not protect your server and the system will be vulnerable to attacks. Same thing can happen if you improperly define your own custom security level. Msec has a graphical user interface(msecgui) or one can use the command line “msec -f” to configure security levels:
using msecgui command:
As you can see, msec detects the security level. Setting the level is directly connecting to enabling/disabling msec.
In the capture below notice the MSEC tool is disabled.
using msec -f command:
The network architecture, the security protocols used, the users interaction and the OS distribution have a huge impact on the way FreeSentral works. You may as well give free access to everybody if just one of these is ignored, inaccurate analyzed or improperly configured.