[asterisk-biz] PBX got Hacked

Kristian Kielhofner kristian.kielhofner at gmail.com
Thu Mar 12 15:24:14 CDT 2009


On Thu, Mar 12, 2009 at 4:01 PM, Peter Beckman <beckman at angryox.com> wrote:
>  I'm guessing unless forced, admins will continue to use bad passwords
>  rather than learn how to use certificates (if indeed they are supported on
>  ATAs and SIP devices, which I'm unsure about) to secure their devices.

  You'd be surprised how many devices support them.  Pretty much
everything I've seen that supports SIP TLS (which is itself a
surprising number of devices) supports various options for cert
verification.  Of course this doesn't mean anything if the rest of
your devices (including Asterisk) don't support it.

  Interop, like everything else SIP related, is the challenging part.
Crypto is especially frustrating because it's hard(er) to debug SIP
messages when they are encrypted on the wire. :)

>  If you used certificate based auth, you couldn't even start the TLS
>  negotiation.  Brute-forcing certs is, AFAIK, really, really difficult,
>  like billions of years.

  Unless you are the NSA... ;)

>  Completely agree.  SSH allows me to create a public/private keypair, then
>  I can authenticate using that keypair.  No CAs or anything like that.
>  It's not about trust, it's about preventing an unauthorized party from
>  connecting to your Asterisk server and making fraudulent calls.

  SSH does handle trust.  It just uses server keys to do that.  You
know that prompt you get when connecting to an unknown host?  Yeah,
you're supposed to manually check that against something (server key
fingerprint - over the phone, etc).

  You know that warning you get when you connect to a known host and
the key has changed?  Yeah, you're supposed to verify that too.

-- 
Kristian Kielhofner
http://blog.krisk.org
http://www.submityoursip.com
http://www.astlinux.org
http://www.star2star.com



More information about the asterisk-biz mailing list