Scanning for Valid Accounts

If you expose your Asterisk system to the public Internet, one of the things you will almost certainly see is a scan for valid accounts. Example 26.1, “Log excerpts from account scanning” contains log entries from one of the authors’ production Asterisk systems.[177] This scan began with checking various common usernames, then later went on to scan for numbered accounts. It is common for people to name SIP accounts the same as extensions on the PBX. This scan takes advantage of that fact. This leads to our first tip for Asterisk security:

Tip #1: Use non-numeric usernames for your VoIP accounts to make them harder to guess. For example, in parts of this book we use the MAC address of a SIP phone as its account name in Asterisk.

Example 26.1. Log excerpts from account scanning

[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"123"<sip:123@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"1234"<sip:1234@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"12345"<sip:12345@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"123456"<sip:123456@127.0.0.1>' failed for '203.86.167.220:5061' - No matching 
peer found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"test"<sip:test@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"sip"<sip:sip@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from 
'"user"<sip:user@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"admin"<sip:admin@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"pass"<sip:pass@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"password"<sip:password@127.0.0.1>' failed for '203.86.167.220:5061' - No matching 
peer found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"testing"<sip:testing@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"guest"<sip:guest@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"voip"<sip:voip@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer 
found
[Aug 22 15:17:16] NOTICE[25690] chan_sip.c: Registration from 
'"account"<sip:account@127.0.0.1>' failed for '203.86.167.220:5061' - No matching 
peer found

...

[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"100"<sip:100@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"101"<sip:101@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"102"<sip:102@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"103"<sip:103@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"104"<sip:104@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
[Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from 
'"105"<sip:105@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found


These account scans take advantage of the fact that the response that comes back from the server for a registration attempt will differ depending on whether or not the account exists. If the account exists, the server will request authentication. If the account does not exist, the server will immediately deny the registration attempt. This behavior is just how the protocol is defined. This leads us to our second tip for Asterisk security:

Tip #2: Set alwaysauthreject to yes in the [general] section of /etc/asterisk/sip.conf. This option tells Asterisk to respond as if every account is valid, which makes scanning for valid usernames useless.



[177] The real IP address has been replaced with 127.0.0.1 in the log entries.