[OpenSIPS-Users] Default install got hacked
Bogdan-Andrei Iancu
bogdan at opensips.org
Fri Jan 21 08:07:26 UTC 2022
Hi Vincent,
Welcome with the first post.
Just a wild guess about your issue - the detection of what SIP domains
are to be locally handled. For example, in your pastebin, like 249 you
have the block for doing user authentication and authorization. And the
logic there is : if the caller belongs to a local SIP domain, do auth -
fine; but if the caller is not local, the call is allowed if the callee
SIP domain is local. So if some foo caller is calling
sip:DID at your_sip_domain, your configuration will allow the call to go
further in the script (as it is targeting a local domain of yours).
And later, like 354 you do diversion to PSTN, but without checking who
the caller is (a local or foreign domain, which was auth'ed or not). Do
you see the issue?
Fixes are:
a) on the 267 `else` branch (if the caller is not local), do all the
time the 403 reply, disregarding what the called number is. So you will
accept only calls from your users.
or
b) when doing the PSTN diversion at 354 line, check if the caller is a
local user, to be sure PSTN calls are available only for your own users.
Add `is_from_local()` to the condition there.
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS eBootcamp
https://www.opensips.org/Training/Bootcamp
On 1/18/22 3:23 PM, Vincent Swart wrote:
> First post!
>
> So yesterday I installed the latest from Debian 10 repo and the latest
> cp web app using a method similar to powerpbxdotorg howto.
> I had 5060 open in my firewall, two user phones configured with strong
> passwords, and a gateway with IP auth for termination.
> Within 10 minutes calls were being placed via unauthenticated invites
> I think.
>
> I used the residential config script with a minor beginner destination
> number pattern match difference:
> https://pastebin.com/GPrMcWYK <https://pastebin.com/GPrMcWYK>
>
> if ($rU=~"^[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+$") {
> #if (dp_translate(10,"$rU/$rU") ) {
> #strip(1);
>
> The opensips log has a lot of this in it all the time:
> Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]:
> CRITICAL:db_mysql:wrapper_single_mysql_stmt_execute: driver error
> (1048): Column 'to_tag' cannot be null
> Jan 17 15:56:04 dsip1 /usr/sbin/opensips[24971]:
> ERROR:acc:acc_db_request: failed to insert into acc table
>
> The illicit calls start in the log like this:
> https://pastebin.com/mCNXqK7T <https://pastebin.com/mCNXqK7T>
> I can post the full log but it will take some time to sanitize.
>
> Sip call ID links in CDR viewer show this: "Sorry , sip trace for this
> call is unavailable."
> There are also only 0 durations on all legs however they incurred
> duration and billing on termination.
> I'm fairly certain the calls were not placed via the user phone
> accounts because of strong passwords.
> My next steps are to disable the gateway and packet capture on the
> interface to investigate illicit invites.
>
> Where do I even start investigating how unauthenticated invites were
> placed and prevent it in the opensips config?
> Any suggestions would be greatly appreciated.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220121/cc1aa157/attachment.html>
More information about the Users
mailing list