I was browsing through Gossamer-threads mailing list on Cisco when I came across a post regarding "Fraud calls to Cuba - Please read" by a member. The thread went on to explain how the attackers were using port scans to find open H323 TCP/1720 and SIP UDP/5060 ports and to make calls out from pots lines. The thread showed that this is not a random happening but prevalent in the Cisco MCE router world as these ports are open by default. All the cases did not have ACLs in place and once implemented they were able to prevent these costly attacks. So people with routers attached to PSTN via PRI or even a FXO line, check your routers.
So if you have an Internet facing router, why not just check for open ports. On Cisco routers you can use show ip sockets on older IOS and on newer IOS show control-plane host open-ports
On other routers use appropriate commands to check for open ports and close them. If you need to keep them open, use ACLs.
How about your Asterisk server? It is also essentially a router with usually a PSTN or SIP or trunk service gateway. The attackers could easily get in an out through the server if necessary precautions were not taken.
Think of an Asterisk server with “outbound” context to the SIP provider accessible by the inbound context.
It is possible for incoming calls that do not find matching numbers internally, to get routed out to the SIP provider via Outbound context. Here is an open gateway for hackers.. And there goes your money that you are trying to save with VoIP.
Basic Steps to Protect your VoIP routers or Servers.
- Firewall or session border controller, Always between you and the internet.
- Use ACLs to limit your access to your VoIP servers.
- Block inbound contexts in Asterisk accessing the outbound.
- Update the IOS and Server software regularly.
- Keep an eye open for security vulnerabilities from your vendor.
- Utilize VPN tunnels when ever is possible to protect the VoIP traffic going over the Internet
- SIP TLS and SRTP will save your day.
- Shutdown all services on not in use on your servers and routers.