[asterisk-biz] PBX got Hacked

Gregory Boehnlein damin at nacs.net
Tue Mar 10 11:37:39 CDT 2009


> I guess there should be some configurable options in Asterisk to cover
> for that. Like 10 consecutive failed login attempts should invoke
> asterisk to reply a login denied to that IP address and another option
> that would allow for let's say 5 attempts in 5 minutes and then block
> the extension for login.
>
> Make the login attempts number and blocking time configurable,
> settable system wide with an option to override per extension would
> close the hole.

This is one of the things that we discussed at Astridevcon in 2008, and
several questions came up;

1. Should this even be Asterisk's responsibility, when it can already be
implemented w/ external tools that are much better suited to the task, are
already well supported and work really well:

http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

2. What are the implementations of having a blocking scheme like this when
you have 100 phones behind NAT? (The simple answer to this is to allow
whitelisting of known address blocks)

3. It would be very difficult to develop a security model that works for ALL
channel drivers. It is easier to think about using a method that works for
chan_sip, but a more detailed framework is necessary for all other channel
drivers.

I believe that John Todd and Olle have some pretty detailed presentations
regarding the discussion that was done:

http://astridevcon.pbwiki.com/Network+Security+Framework.2008-09-28-23-35-38

http://edvina.net/asterisk/asa-intro.pdf





More information about the asterisk-biz mailing list