October 14, 2021

666 words 4 mins read

Hide From Shodan

Hide From Shodan

If you are planning on exposing your private VoIP server to the public internet but are concerned about hacks and attacks, I might have one trick to help keep you hidden.

When looking for a website to answer your questions, most people turn to Google. On the other hand, when looking for applications, IPs or network ports exposed on the internet, Shodan.io is usually the first stop.

Shodan offers a service, dare I say, like Google, that scans the internet. But, unlike Google that scans primarily web pages, Shodan scans IP addresses and open ports, trying to detect services running behind these open ports either by grabbing service banners or by interpreting responses sent back from these services. Their database can also be queried using APIs, so for example if you are looking for servers on the internet running Asterisk 13, query away on Shodan, and get your list!

This service simplifies the work of hackers looking for a specific application version that has known vulnerabilities. Yes, scary, so please make sure your security patches are up to date!

So, if you are offering a SIP/VoIP service for your employees over the public internet or have your private IP PBX at your home exposed to the internet, then you pretty much are already in Shodan’s database …. But should you be?

Shodan uses SIP OPTIONS pings over both UDP and TCP to detect SIP devices so the obvious solution is not to respond (hide) from these requests. But how?

Let’s first start with the basics and by basics I mean using APIBAN. I mentioned it in my previous post Understanding VoIP Hackers and Fred Posner walks through the process of installing APIBAN in 5 minutes here. It is a free service that provides you with IP addresses of fraudsters gathered from honeypots globally. With Shodan constantly scanning IPs from different IP addresses globally, their IP addresses are already in the APIBAN database. Work has been done to make it so easy to integrate APIBAN with any application running on linux (by making use of the linux firewall) and SIP servers like Kamailio, Drachtio that at this stage there is absolutely no excuse not to be using it.

If for some reason you do not want to use APIBAN, an option is to drop all SIP OPTIONS pings on your SIP border device (I hope you are using Kamailio) but if that is also not an option (pun intended) because you have for example SIP trunks and are using OPTIONS as a way to signal that your device is up, then there one intersting solution.

To figure this solution out let’s take a look at the OPTIONS ping packet Shodan sends over UDP.

OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/UDP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

The headers that are consistent across board are Via, From, To, Call-ID, Contact and even CSeq! I am sure you now see where I am going with this … If your SIP border device can filter on header content (as it should. If not then please use Kamailio), filter and drop such a packet.

In Kamailio for example, if you would like to filter out an OPTIONS packet based on the user part of the From header, in this case ’nm’, it would be as simple as:

if($rm='OPTIONS' && $fU='nm') {
    exit;
}

With Kamailio you can filter based on any content of any header so you can decide on any logic that makes most sense for you.

This solution however will be valid till the folks at Shodan decide to change their script so having this as a backup plan to using APIBAN is not a bad idea.

Running any service on the public internet has its risks. I still believe that any option you have to stay undetected should be used but of course that SHOULD NOT BE YOUR ONLY security policy.

Stay safe and keep flying Kamailio 😎

kamailio fraud sip
Understanding VoIP Hackers

Understanding VoIP Hackers

September 1, 2021

Ever since I realized how easy it was to detect potential VoIP fraudsters using the SIP User Agent header , I got more and more interested in finding out how to detect them and more importantly figuring out their thought process. I believe that there is a lot you can learn from looking at the smart techniques fraudsters are using rather than just assuming what they are up to. How best to learn, apart from looking through your logs after you have been hacked, than to create a honeypot, gather data and learn from it.
Kamailio Dispatcher Module Hidden Gem

Kamailio Dispatcher Module Hidden Gem

March 4, 2021

Majority of Kamailio deployments involve using it as the core routing engine. Efficient call routing is one of its major tasks in such designs and this is where the dispatcher module really shines, making it one of the most popular modules. If you need to efficiently route or distribute huge amounts of traffic across multiple gateways, you need to have a look at the dispatcher module. Dispatching algorithms The module offers multiple routing algorithms to choose from.
Kamailio : Server Maintenance Mode

Kamailio : Server Maintenance Mode

March 12, 2021

Sometimes your Kamailio server might need server maintenance and for that you could require a way to drain out traffic. Also, depending on where it sits in your design you might want to return a custom response code so that new traffic routes elsewhere. There is a simple trick to doing this. The idea is simple, set a variable and check its status/value and based on that decide on how to handle new requests.