VerifyPeers

From Etel

Contents 1 Title 2 Problem 3 Solution 4 Discussion

Title

Verify Peers

Problem

With threats in the VoIP industry escalating, news has shown us that attackers have and will continue to attempt to brute force access PBX accounts. Usually when done, an attacker will route calls through a victim's PBX at the expense of the owner of the PBX.

Solution

Verify peers is a framework to an IDS for Asterisk which checks for valid peers on any Asterisk PBX. Any anomolies found are reported.

# VerifyPeers.sh
# J. Oquendo
# echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
# Verifies that valid peers are registered on your Asterisk PBX
# The concept would be to create an IDS of sorts based on those
# peers registered, and those registering. Script compares the
# IP addressing of those already on, and prints out those who
# have tried to connect. If there is an anomoly, the script
# will send an email with the offending information to the
# account specified

# Make safe/secure temporary files we can later delete

VHOSTS=`mktemp /tmp/vhosts.XXXXXX` || exit 1
LPEERS=`mktemp /tmp/lpeers.XXXXXX` || exit 1
INVLDS=`mktemp /tmp/invlds.XXXXXX` || exit 1
MADMIN=`mktemp /tmp/madmin.XXXXXX` || exit 1

# Get date according to what Asterisk sees
TODAY=`date '+%Y-%m-%d'`

# Get a list of valid peers on the server


        asterisk -rx "sip show peers"|\
        awk -F "/" '{print $1}'|grep -vi [a-z]|\
        sort -u > $LPEERS

# Check these peers against what is listed in sip.conf
# all others go to the invalid peers file (INVLDS)
# which will be reported to the admin later

for i in `cat $LPEERS`
do grep username=$i /etc/asterisk/sip.conf > $INVLDS
done

awk '{gsub(/username=/,"");print $1" is an invalid user trying to register"}' $INVLDS > $MADMIN


# Send to administrator

echo "Enter administrator's e-mail address"

        read sadmin
        more $INVLDS | mail -s "Invalid peers" $sadmin

sleep 1

        printf "Invalid peers list sent to Administrator\n"

sleep 2

        printf "Deleting temporary files\n"

sleep 2

        printf "Done\n"

rm -rf $VHOSTS $LPEERS $INVLDS $MADMIN

Discussion

The idea is to let an administrator know something is looking strange on his or her machine. It will be up to the administrator to follow through. One of the issues regarding automating via firewalls a block to an invalid user is NAT and DHCP. For PBX administrators who have remote connections, this would be an enormous difficulty to track down the ISP's address ranges. Not to mention if a remote employee connected from say an airport.

Other issues such as logging come into play. I have written a full blown IDS based on the information sent from Asterisk. In order to use it though, full logging has to be turned on which can be problematic for those with limited disk space. VerifyPeers is a working framework free to modify to your needs.