There has been some (heated!) discussions on the Asterisk and FreePBX forums about SIP extension types.
So, what’s all the fuss about …
Well, it’s about being able to enumerate the local extensions on your Asterisk server. This means being able to get a list of valid extension numbers. If a hacker can do this it’s a bad thing because then they just need to figure out the extension secret (password) before they can start making calls at your expense.
So what about fail2ban? Isn’t this support to stop this?
Fail2ban is great. If a malicious user tries to REGISTER as an extension on your system, and gets the password wrong, Asterisk logs this attempt (including what IP address they tried to register from) in the Asterisk logs. Once fail2ban sees a specified number of these log entries it blocks the IP address.
However, it’s not always necessary for an extension to REGISTER to make a call via your system, they can just send a SIP INVITE message to try and initiate the call, and on certain (some/all?) versions of Asterisk this error is not logged in the Asterisk logs. Currently even where Asterisk logs the error it does not include the IP address of the attacker. This obviously means that fail2ban cannot block the IP address.
Even worse, if the extension SIP type is set to ‘friend’, Asterisk sends back different error messages depending if the extension number is valid or not. This tells the attacker the valid extension numbers to concentrate their attack on. This can be prevented by setting the extension type in FreePBX to ‘type=peer’
Unfortunately, for historical reasons, the default setting in FreePBX is ‘type=friend’. This means that virtually all FreePBX users will have ‘type=friend’ set for their extensions.
So what should you do?
It’s actually quite difficult to figure out how different versions of Asterisk behave regarding the SIP TYPE settings.
My advice would be to set all extensions in FreePBX to ‘type=peer’. It works for me and should give you an additional level of protection than leaving it as ‘type=friend’. Don’t forget that, ongoing, you will need to change it for new extensions.
Changing this setting should have no adverse effect but if you have lots of extension I’d suggest testing it on a couple first.
Where can you read more?
There are a lot of forum posts and discussions regarding this subject. With lots of differing view points. Please read some of them if you’d like to draw your own conclusion.
Last updated by.