TIPS Stupid UK Mobile Networks: Mobile Phone Security

[mattseymour]

So I've got travelin' man 3 working nicely to keep things a bit more secure with the handful of mobile extensions I want. However there's a problem.

We mostly have iPhones, which of course don't support dyndns, but more significantly it seems dyndns doesn't work with three (H3G) or ee (t-mobile/orange) so the choice of handset is largely irrelevant.

So... What to do?

My best plan right now is to allow sip in from the entire public ip ranges of the mobile networks, use dyndns for authorising wifi etc and keep asterisk blocking external connections from all but the few extensions I expect to be mobile...

If I want the functionality I don't think there's much choice. I tried travelin' man 2 but had a nightmare with phones switching ip and promptly getting banned by fail2ban.

What do you seasoned folk think of this as a way forward?

 

[steven]

There's an older, manual version of Travellin' Man that may still work well enough for this application:

http://nerdvittles.com/?p=689

Or just buy Android phones.

 

[mattseymour]

@igaetz thanks! We've implemented a form of this and it seems to be working well. What I like about this is unauthorised connections are dropped silently and IMHO those likely to ever try attacking my pbx are unlikely to be in a position to packet sniff one of our mobile extensions.

steven the problem is less the phone and more the networks, which block dyndns making travelin' man 3 ineffective. Travelin' man 2 does work but it isn't as good as the knocking solution because asterisk is handling ip authentication and betraying its presence to an attacker, if a mobile user's ip changes they can get locked out by fail2ban and it's still just as vulnerable to packet sniffing!

 

[mattseymour]

So here's a bit more info, and a copy of our newly tidied iptables. I should say that although I just about understand what's going on here, I didn't put this together. My good friend Tim (computer scientist, coder and someone who knows far more about linux commands than is healthy for any individual) implemented this. So I certainly don't feel in a knowledgable position to post to resources Anyone more familiar with iptables than me do point out any glaring holes in this.

The file has been given a tidy up, this isn't necessary but does make it easier to read (at least to me). So all the trusted providers are now in a chain called voips and this defines the ports allowed. I don't use them, so they're commented out. For a super tidy file all the commented entries could just be deleted.

The bit we're using to give access to our mobile user with some semblance of security is the door. Here's my understanding of what happens. On the first connection of a client the incoming udp packet to 5060 is passed to the door chain. This checks if the appropriate string is present. If it is, the IP is added to the voipclients list otherwise it's dropped. The IP then gets to pass through for 4000 seconds until the check is run again.

What we haven't checked is whether everything sent by the client contains the string (we're using the display name) and I confess we don't really know how sip registration works and how often the client talks to the server. So that 4000 seconds is probably far longer than it needs to be.

What I like about this solution is that it works... you can have a string per client just by adding another line, and you can search on any string that's specific to a client which may help get around some client config limitations. It's still security by obscurity to be honest and anyone in a position to sniff traffic twixt client and server could probably find a way in, however as I've said before I don't think that's much of a risk. Our server is still protected by a separate firewall and then have Asterisk only allowing connections from the lan for all but our mobile extensions. Then there are strong passwords on top of that.

I could narrow things down further by only allowing this to work from the mobile networks, and requiring travelin' man 3 for everything else, but that ruins the user experience and I don't really feel it's necessary.

Now if only PIAF and phones supported certificate authentication...

# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*filter
:INPUT DROP [636:118995]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
-N voips
#-A voips -s outbound1.vitelity.net -j ACCEPT
#-A voips -s inbound1.vitelity.net -j ACCEPT
#-A voips -s atlanta.voip.ms -j ACCEPT
#-A voips -s chicago.voip.ms -j ACCEPT
#-A voips -s dallas.voip.ms -j ACCEPT
#-A voips -s houston.voip.ms -j ACCEPT
#-A voips -s losangeles.voip.ms -j ACCEPT
#-A voips -s newyork.voip.ms -j ACCEPT
#-A voips -s seattle.voip.ms -j ACCEPT
#-A voips -s tampa.voip.ms -j ACCEPT
#-A voips -s montreal.voip.ms -j ACCEPT
#-A voips -s montreal2.voip.ms -j ACCEPT
#-A voips -s toronto.voip.ms -j ACCEPT
#-A voips -s toronto2.voip.ms -j ACCEPT
#-A voips -s london.voip.ms -j ACCEPT
# DIDforsale only has an IP address and no FQDN = 209.216.2.211
#-A voips -s 209.216.2.211 -j ACCEPT
#-A voips -s callcentric.com -j ACCEPT
#-A voips -s sipgate.com -j ACCEPT
#-A voips -s chi-out.voipstreet.com -j ACCEPT
#-A voips -s chi-in.voipstreet.com -j ACCEPT
#-A voips -s did.voip.les.net -j ACCEPT
#-A voips -s magnum.axvoice.com -j ACCEPT
#-A voips -s proxy.sipthor.net -j ACCEPT
#-A voips -s sip.voipwelcome.com -j ACCEPT
#-A voips -s incoming.future-nine.com -j ACCEPT
#-A voips -s outgoing.future-nine.com -j ACCEPT
#-A voips -s DEN.teliax.net -j ACCEPT
#-A voips -s LAX.teliax.net -j ACCEPT
#-A voips -s NYC.teliax.net -j ACCEPT
#-A voips -s ATL.teliax.net -j ACCEPT
#-A voips -s gvgw1.simonics.com -j ACCEPT
# IPkall uses two IP addresses: 66.54.140.46 and 66.54.140.47
#-A voips -s 66.54.140.46 -j ACCEPT
#-A voips -s 66.54.140.47 -j ACCEPT
 
-N door
# Knocks.
-A door -m string --algo bm --string "[COLOR=#ff0000]YOUR_STRING_HERE[/COLOR]" -m recent --set --name voipclients -j ACCEPT
 
 
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
# Travelin Man 2 Web Interface Requires TCP Port 83 open
#-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
# End of Travelin Man 2 addition
 
# Google Voice requires the next two port openings
-A INPUT -p udp -m udp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
# Port "knocking" for SIP clients
-A INPUT -p udp --dport 5060 -m recent --rcheck --seconds 4000 --name voipclients -j ACCEPT
-A INPUT -p udp --dport 5060 -j door
# Other Trusted Providers
-A INPUT -p udp -m multiport --dports 4569,5060:5069 -j voips
# End of Trusted Provider Section
 
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
#-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*mangle
:PREROUTING ACCEPT [59114:43092827]
:INPUT ACCEPT [58517:43020696]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [45625:6667023]
:POSTROUTING ACCEPT [45627:666730]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011
# Generated by iptables-save v1.3.5 on Tue Feb  8 11:35:49 2011
*nat
:PREROUTING ACCEPT [1620:224741]
:POSTROUTING ACCEPT [3827:274034]
:OUTPUT ACCEPT [3827:274034]
COMMIT
# Completed on Tue Feb  8 11:35:49 2011

 

[papachumba]

Rather than bother with all this, what I did on my iphone is to install openvpn client, which then connects to my pbx running openvpn server. Then bria on top as a sofphone app.
No need to bother with IPTables or anything else, PBX thinks the phone is on the same subnet.

 

[mattseymour]

There's a perfectly satisfactory VPN client built into iOS that supports tha major offerings, apart from openvpn. But the issue there is you have to start the VPN before connecting the sip client, and that isn't a great end user experience. Mobile VPN clients tend to drop out as well, so you can't leave the sip client up and expect to receive calls reliably.

 

[mattseymour]

Really, what would be good is a sip client with openvpn built in.

 

[papachumba]

Lol, i dont think you will ever find one with VPN built in.
I used OpenVPN Connect App (and imported my certificate via email - you will need to add all info to one .ovpn file and then import this one file - as opposed to a tarball or importing multiple files)
During my testing, I could drive my car through london, and be on a SIP call, and the vpn client will happily stay connected whilst (i presume) i jump from phone mast to phone mast and my call wouldnt disconnect (all through gprs network).
Did a bit of research on various VPNs, it is my understanding OpenVPN is THE BEST when it comes to traversing NAT to establish and maintain a connection on a shitty line.
I also tried PPTP and whilst this works fine, I abandoned it due to online reports of being able to hack such a VPN...

 

[mattseymour]

Interesting... I'll have a play with the openvpn client and see what happens, but my experience is iOS won't hold a VPN connection for extended periods. When the phone idles, the connection is dropped. That's why I decided the best solution was a less secure compromise that let people make use of their phone without having constant registration issues.

 

[papachumba]

Please also note vpn will eat through the iphones battery rather quick too.

 

[bobkoure]

There is a technique known as the "Sunshine Networks Knock" method which might work for you. There is a thread here about it tho I can't find it, it may have been lost in the crash. The old sunshine networks site is gone and Michigan Telephone's blog is gone...

Wayback machine to the rescue
Sunshine Networks "knock" how-to
http://web.archive.org/web/20120621...p-server-with-the-sunshinenetworks-knock.html
list of sunshine networks how-to articles (also on wayback)
http://web.archive.org/web/20120529190349/http://www.sunshinenetworks.com.au/how-to

Maybe one of these days I'll be allowed to post links as links here, but until then you know what to do...