VoIP Study and ImplementationSecurity

Version 1.0 – Author : Marc PYBOURDIN / Julien BERTONDernière Mise à Jour : 19/02/2012

Course objectives

•Identify threat to your Asterisk installation

•Mitigate risk of attacks

By completing this course, you will see:

Security overview

ASTERISK SECURITY THREATSAsterisk Installation and Configuration – Part 1

What are Asterisk security threats?

• Phreaking• Vishing• Call tampering/DoS• Spamming over Internet

Telephony(SPIT)• Eavesdropping• Man-in-the-middle

Security

Phreaking

• Attacker steal service from a service provider or use service while passing the cost to another person

• Mitigation options– Strong user password policy– Automatic bans where too many

authentication failures• Fail2Ban

Security

Vishing

• An another word for VoIP phishing– Invoves a party calling you faking a

trustworthy organization and requesting confidential and often critical informations.

• Mitigation options– Training of employees – Discarding of anonymous calls(too

restrictive)

Security

Call tampering/DoS

• Attacks in the main objective of prevent legit users to place/maintain calls.

• Mitigation options– Firewalling– Fail2Ban

Security

Fail2Ban

• A protection framework written in Python– Block bruteforce and DoS attacks on several services

• SSH, Postfix, Dovecot, Asterisk,…

– Automatically reads log files and can take actions if suspicious activities occurs • IP block(using IPTables), send mails(Whois report, complain

messages)

– Configuration files located in /etc/fail2ban directory• /etc/fail2ban/filter.d

– Definition of log filters

• /etc/fail2ban/action.d– Actions to be realized

• /etc/fail2ban/jail.conf– Link between filters and actions

Security

Fail2Ban installation

• You can install Fail2Ban using two ways– From sources

• Create source directory and go in it– mkdir /usr/src/fail2ban && cd /usr/src/fail2ban

• Download the package and extract it– wget –O fail2ban.tar https://github.com/fail2ban/fail2ban/tarball/sdist/0.8.5 && tar –xvf fail2ban.tar

• Go into the source directory and install– cd fail2ban-fail2ban-4f733aa && python setup.py

install

Security

Fail2Ban installation

• You can install Fail2Ban using two ways– From packages

• Debian– apt-get install fail2ban

• Fedora– yum install fail2ban

• Always ensure before installing Fail2Ban that iptables is installed in your system

• You can start Fail2Ban with the command– /etc/init.d/fail2ban start

Security

Fail2Ban configuration

• Once Fail2Ban is installed, we have to create two elements– The filter element in /etc/fail2ban/asterisk.conf

• Content of the file available on the slide comments

– The action defined in /etc/fail2ban/jail.conf[asterisk-iptables]enabled = truefilter = asteriskaction = iptables-allports[name=ASTERISK,protocol=all]sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@supinfo.com]logpath = /var/log/asterisk/messagesmaxretry = 20# Ban for 10 daysbantime = 864200

Security

SPamming over Internet Telephony(SPIT)

– Spam over VoIP

– Can be sort of commercial/strange calls

–Mitigation options• Employees training • Anonymous calls discarding (too

restrictive)

Security

Eavesdropping/Man-in-the-middle

– Listening of the calls by sniffing VoIP packets/modifying call content

–Mitigation options• Encryption of call signaling and voice

payload with Asterisk

Security

Calls encryption

• Encryption and hashing are supported by Asterisk – Call signaling(SIP)– Call payload(SRTP)

• Needs several steps including :– Compilation of Asterisk with librstp – Server/Client certificate generation– Configuration for SIP & RSTP

Security

Asterisk compilation with libsrtp

• You need to compile again Asterisk with libsrtp libraries.– Download the file and uncompress it

• cd /usr/src/ && wget http://srtp.sourceforge.net/srtp-1.4.2.tgz && tar -xvzf srtp-1.4.2.tgz

– Compile and install it• cd srtp && ./configure CFLAGS=-fPIC --prefix=/usr && make && make install

Security

Asterisk compilation with libsrtp

• You need to compile again Asterisk with libsrtp libraries.

– Compile again Asterisk and install it• cd /usr/src/asterisk/asterisk-10.2.1 && make clean && ./configure && make && make install

Security

Server/Client certificate generation

• Create the Asterisk keys directory– mkdir /etc/asterisk/keys

• Generate server certificates using script in /usr/src/asterisk/asterisk-10.2.1/contrib/scripts directory– ./ast_tls_cert -C pbx.supinfo.com -O "SUPINFO VoIP

Services" -d /etc/asterisk/keys

Security

Server/Client certificate generation

• Generate client certificate using script in

/usr/src/asterisk/contrib/scripts directory– ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.pbx.supinfo.com -O "SUPINFO VoIP Services" -d /etc/asterisk/keys -o phone1

Security

Configuration for SIP encryption

• In /etc/asterisk/sip.conf file, add the following under [general] context:tlsenable=yestlsbindaddr=0.0.0.0tlscertfile=/etc/asterisk/keys/asterisk.pemtlscafile=/etc/asterisk/keys/ca.crttlscipher=ALLtlsclientmethod=tlsv1

Security

Configuration for RSTP encryption

• In /etc/asterisk/users.conf file, add the following:

– Inside an already configured user:

[user]encryption=yestransport=tls

Security

Advanced networking

• When Asterisk is behind a NAT(Network Address Translation), you need to configure port forwarding to your local Asterisk server:– For SIP

• UDP 5060 by default• Can be changed in the

configuration(/etc/asterisk/sip.conf)– port parameter under [general] context

– For RTP• 10000-20000 by default• Can be changed in the

configuration(/etc/asterisk/rtp.conf)– rtpstart & rtpend parameters under [general] context

Security

Any questions?