Eventually I'll have to get around to setting up netflow so I can detect the scanners before it becomes a problem =) Just not a great deal of 'cohesiveness' with the current open source netflow implementations, and then all of the different Cisco gear has different caveats related to NF, so it's hard to use that as a good way to detect this sort of thing, although I'm guessing it can't be too hard to figure out which hosts are making a bunch of outbound connections to random IPs on 5060 =) -Drew -----Original Message----- From: David Birnbaum [mailto:davidb@pins.net] Sent: Friday, February 05, 2010 1:22 PM To: Brandon Ewing Cc: nanog@nanog.org Subject: Re: How common are wide open SIP gateways? I should have prefaced that with "older installations" as well. As far as we can see, most of the newer packages have fixed the known truck-sized holes in their default configurations, but given the lack of any formal framework for testing this stuff, even the "big" switches have been found to have security issues from time to time. I have to admit I was surprised at the number of people I've run into over the years who unpacked Asterisk, played with a few phones, and stuck themselves on the Internet without any clear understanding of how exposed they are. Cheers, David. ----- On Fri, 5 Feb 2010, Brandon Ewing wrote:
On Fri, Feb 05, 2010 at 12:45:13PM -0500, David Birnbaum wrote:
We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts. FreePBX had some truck-sized holes in it.
FreePBX 2.6.0 defaults to refusing anonymous SIP calls. If you enable inbound anonymous calls, it includes only the "from-trunk" context, making it behave like a standard incoming over over a configured trunk. If you've configured FreePBX to allow outgoing calls from the trunk context, you have larger problems in general.
-- Brandon Ewing (nicotine@warningg.com)