Help with my security - SIP profile

[CPav]

Guys, I've been hacked, not sure yet how but I was hoping someone with better knowledge can take a look at my SIP profile and let me know if there is anything exposed here. I have several small companies connecting from external and with changing IP's so ACL's won't do..
I set this up with no knowledge or experience, but it's a small enough setup clients wise, 6 tenants on this PBX.
Any advice much appreciated!

accept-blind-auth	true	True
accept-blind-reg	true	False
aggressive-nat-detection	true	True
apply-inbound-acl	domains	True
apply-nat-acl	nat.auto	True
apply-register-acl	domains	False
auth-all-packets	false	True
auth-calls	$${internal_auth_calls	True
auto-jitterbuffer-msec	60	False
auto-rtp-bugs		False
bind-params	transport=udp	False
bitpacking	aal2	False
caller-id-type	none	False
caller-id-type	pid	False
caller-id-type	rpid	True
challenge-realm	auto_to	True
cid-in-1xx	false	False
context	public	True
dbname	share_presence	False
debug	0	True
delete-subs-on-register	false	False
dialplan	XML	True
disable-naptr	false	False
disable-register	true	False
disable-rtp-auto-adjust	true	False
disable-srv	false	False
disable-srv503	true	False
disable-transcoding	true	False
disable-transfer	true	False
dtmf-duration	2000	True
dtmf-type	rfc2833	True
enable-100rel	true	False
enable-3pcc	true	False
enable-compact-headers	true	False
enable-timer	true	False
extended-info-parsing	true	False
ext-rtp-ip	$${external_rtp_ip}	True
ext-sip-ip	$${external_sip_ip}	True
force-register-db-domain	$${domain}	False
force-register-domain	$${domain}	False
force-subscription-domain	$${domain}	False
force-subscription-expires	60	False
forward-unsolicited-mwi-notify	false	True
hold-music	$${hold_music}	True
inbound-bypass-media	true	False
inbound-codec-negotiation	generous	True
inbound-codec-prefs	$${global_codec_prefs}	True
inbound-late-negotiation	true	True
inbound-proxy-media	true	False
inbound-reg-force-matching-username	true	True
liberal-dtmf	true	True
local-network-acl	localnet.auto	True
log-auth-failures	true	True
manage-presence	true	True
manage-shared-appearance	true	True
manual-redirect	true	False
max-proceeding	1000	False
media-option	resume-media-on-hold	False
media-option	bypass-media-after-att	False
minimum-session-expires	120	False
multiple-registrations	contact	True
nat-options-ping	true	True
NDLB-allow-bad-iananame	true	True
NDLB-broken-auth-hash	true	False
NDLB-force-rport	safe	True
NDLB-received-in-nat-reg-contact	true	True
nonce-ttl	60	True
odbc-dsn	$${dsn}	False
outbound-codec-prefs	$${global_codec_prefs}	True
pass-callee-id	false	False
pass-rfc2833	true	False
presence-hosts	$${domain},$${local_ip	False
presence-privacy	$${presence_privacy}	True
presence-probe-on-register	true	True
presence-proto-lookup	true	False
record-path	$${recordings_dir}	True
record-template	${domain_name}/archive	True
registration-thread-frequency	30	False
renegotiate-codec-on-hold	true	False
rfc2833-pt	101	True
rtcp-audio-interval-msec	5000	False
rtcp-video-interval-msec	5000	False
rtp-autofix-timing	false	False
rtp-autoflush-during-bridge	false	False
rtp-hold-timeout-sec	1800	True
rtp-ip	172.16.0.104	True	$${local_ip_v4}
rtp-rewrite-timestamps	true	False
rtp-timeout-sec	600	True
rtp-timer-name	soft	True
send-message-query-on-register	true	False
send-presence-on-register	true	False
session-timeout	1800	True
shutdown-on-fail	true	False
sip-capture	no	True
sip-ip	172.16.0.104	True	$${local_ip_v4}
sip-port	5080	True	$${internal_sip_port}
sip-trace	no	True
suppress-cng	true	False
timer-T1	500	False
timer-T1X64	32000	False
timer-T2	4000	False
timer-T4	4000	False
tls	$${internal_ssl_enable	True
tls-bind-params	transport=tls	True
tls-cert-dir	$${internal_ssl_dir}	True
tls-only	false	True
tls-passphrase		True
tls-sip-port	$${internal_tls_port}	True
tls-verify-date	true	True
tls-verify-depth	2	True
tls-verify-in-subjects		True
tls-verify-policy	all|subjects_all	False
tls-version	$${sip_tls_version}	True
unregister-on-options-fail	true	False
user-agent-string	FreeSWITCH	True
vad	out	False
watchdog-enabled	no	True
watchdog-event-timeout	30000	True
watchdog-step-timeout	30000	True

 

[Adrian Fretwell]

The first thing I noticed is that $${internal_auth_calls is missing a closing bracket.

There is not much we can tell from a SIP profile alone, for example we don't know the actual value in the $$ variables.

Can you be more specific about what happened? Did they use a password? I assume it was a SIP hack rather than web or ssh.

 

[CPav]

Thanks, it actually does include the closing bracket, it's cut it off from view in the columns view, when I click on it it then appears.
I checked as much of the logs as possible the IP displayed as to where the call originated from shows the actual customers IP. Like their handset was hacked with brute force and calls originated from the handset itself...if that's even possible. I had an http port open on their office router for access to the handset, but the handsets password was relatively complex...I've since closed the port and changed the handsets admin password and the extensions...I'm hoping that's how the hack happened but I'm just worried that it's something to do with my sip profile.

 

[CPav]

...regarding this statement, "we don't know the actual value in the $$ variables" So should I be not suing the $$variable attribute and rather be setting something exact here?

 

[Adrian Fretwell]

No $$ variables are fine. I just meant that I can't tell what they are set to. You probably set some of them in Switch Variables and FreeSWITCH uses defaults for the rest.
I don't think there is a problem with your SIP profile. Someone hacking a customer phone is far more likely. We had that happen a few years ago, there a hacker gained access to a customers LAN. This is one reason why we only provision phones using https, we don't want someone with tcpdump on the LAN reading SIP usernames and passwords.

One more thing to consider. Is there any kind of DISA (Direct Inward System Access)? Some people use this so reps. can dial in on a DDI enter a PIN and then dial out as if they were in the office. It's also worth checking IVRs and Ring groups for any dial through options. For example, some people use a ring group forward or follow me when they go out of the office. If a hacker got access to their web login (if the customer has one), they can easily add a forward to achieve dial through fraud.

 

[jackurke]

Was this a Yealink phone?

By default there is a "user" account with password "user". If the phone was open on the Internet via HTTP or HTTPS it could be the case that this was accessed and a high cost fraud destination set as the call forward code. This allows them to make outbound calls by switching on/off call forwarding via that user account. All scripted and configured for maximum impact.

Always restrict the source when opening inbound connections to devices like these. It won't be possible with standard ISP routers in most cases so it is worth investing in a device that does allow more granular configuration options, such as restricting what source is allowed to access the port forward.