[asterisk-biz] PBX got Hacked
Andrew M. Lauppe
alauppe at anteil.com
Tue Mar 10 15:14:53 CDT 2009
We discussed this on freenode #freepbx today, and someone did the
following math.
A 20 digit numerical password/secret (numerical meaning only 0-9 -
obviously), attacked via brute force at 5,000,000 passwords per second,
would take more than 600,000+ years to crack. I didn't verify but it
looks about right.
Lesson of the day? Sure, more secure passwords aren't THE solution, but
they sure help. I'm pretty sure any attempt to brute force a SIP
password on an asterisk box at anything approching 5 million passwords
per second would have side effects that would bring the attack to your
attention (like bringing your sip stack to it's knees perhaps?)
Remember, as nice as fail2ban is, it is vulnerable to denial of service
attacks. It is possible (even easy) to use it against the actual
intended users of a system - blocking them from accessing their own
system via iptables.
With most phones being auto-provisioned, the length of the password
shouldn't be a limiting factor. Make your passwords/secrets more complex
and we can be done with this conversation. Please.
Andy
Anteil, Inc. <http://www.anteil.com>
------------------------------------------------------------------------
*Andrew M. Lauppe
* /Consultant/
4051B Executive Park Dr.
Harrisburg, PA 17111
------------------------------------------------------------------------
+1 (877) OS-LINUX x23
+1 (484) 421-9919 direct
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/d2ca5467/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Anteil_email.jpg
Type: image/jpeg
Size: 3436 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/d2ca5467/attachment.jpg
More information about the asterisk-biz
mailing list