[asterisk-biz] asterisk-biz Digest, Vol 71, Issue 44
Calleasy BsAS
sisint2005 at hotmail.com
Mon Jun 28 09:28:55 CDT 2010
dears Andrew & James:
i agree at all...
weak password, just can become stronger when were replaced with other storng !
this is absolutly truth! and can't be discussed in any way, and ever we must use strongest pass that can.
then, also is truth that any security on transport layer don't become pass stronger, but gives less chances for sniffing an public sytes/hsotpost/ wifi, also does not enforce against the attack basesdit on test users/passswords, just only can treat this with an IDS systems blocking the src that try to register , because of it , must be searched on any logs file , like fail2ban do or like could someone do by him self, this defines a scenario with an open network and some "IDS strategy"
i think that the security is the result that you get when add resoruces + procedures,
ie there is no system that protect from "pishing " if you will answer with your user and pass, at any questions that you have received. or if your usr/pass o certiciates was stollen .
in each proyject must there be a little from all Authentication, Validation,encryption, auditoring, over all if you think ,like i do:
" it's so cheaper a betrayal than a hacking".... , but this talk its about tech...
The idea that send ealier , try to follow this concept: close the network and open just to a konwn bunch with no fixed ip avoiding conections from unknown ips :
keep track on the ipchanges with this change "linked" to a user on easy to use way , with a few steps, it nos os robust like toher but is MUCH better than nothing. so we can reduce the src from the attack going down from "all network" to "not so many places" , from the firewall in the asterisk box and on the asterisk himself..
..... so it means there will be less chances for the attack, becuase must come from the ip resgitred for user or inside the time slot until renew the ip that has changed .
ie a wifi zone , internet caffe, hotel, hacking wifi routers,... then the user and the atack both behind the same router or share the same public ip.
Off course that theres are other way to do so, more exhaustive , close the access at policy and use any radius/ ppp ... etc authenticate service , also linked to a sql, keep track the ip/users changes ( to enables access and for audit too), and then dynamically refresh peers in PBX or tables for firewall , or both , to allow access or calls ,
What a pleasure , write with people so kind and that have such acknowledgments.
Thanks
marcos
> From: asterisk-biz-request at lists.digium.com
> Subject: asterisk-biz Digest, Vol 71, Issue 44
> To: asterisk-biz at lists.digium.com
> Date: Mon, 28 Jun 2010 00:23:17 -0500
>
> Send asterisk-biz mailing list submissions to
> asterisk-biz at lists.digium.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.digium.com/mailman/listinfo/asterisk-biz
> or, via email, send a message with subject or body 'help' to
> asterisk-biz-request at lists.digium.com
>
> You can reach the person managing the list at
> asterisk-biz-owner at lists.digium.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of asterisk-biz digest..."
>
>
> Today's Topics:
>
> 1. Re: 87.230.80.186 (James Sharp)
> 2. Re: 87.230.80.186 (Bret McDanel)
> 3. Re: 87.230.80.186 (Calleasy BsAS)
> 4. Re: 87.230.80.186 (Calleasy BsAS)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 27 Jun 2010 15:53:25 -0400
> From: James Sharp <jsharp at psychoses.org>
> Subject: Re: [asterisk-biz] 87.230.80.186
> To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz at lists.digium.com>
> Message-ID: <4C27AC35.7070303 at psychoses.org>
> Content-Type: text/plain; charset=UTF-8
>
> Andrew Latham wrote:
> > SIP TLS or a nice SNOM phone with VPN will do the trick...
>
> No it won't. Transport layer encryption won't solve the problem of
> brute forcing weak passwords, which is what I believe this whole
> discussion started with.
>
> The SNOM phone is a little stronger, but only through
> security-through-obscurity of having to crack the VPN, then knowing how
> to configure your SIP client to talk through the VPN. Still, not
> entirely secure.
>
> Of course, the only completely secure system is the one that doesn't
> exist. The only winning move is not to play.
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 27 Jun 2010 13:15:55 -0700
> From: Bret McDanel <trixter at 0xdecafbad.com>
> Subject: Re: [asterisk-biz] 87.230.80.186
> To: Commercial and Business-Oriented Asterisk Discussion
> <asterisk-biz at lists.digium.com>
> Message-ID: <1277669755.3012.828.camel at trixeee.0xdecafbad.com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Sun, 2010-06-27 at 15:53 -0400, James Sharp wrote:
> > Andrew Latham wrote:
> > > SIP TLS or a nice SNOM phone with VPN will do the trick...
> >
> > No it won't. Transport layer encryption won't solve the problem of
> > brute forcing weak passwords, which is what I believe this whole
> > discussion started with.
> >
> > The SNOM phone is a little stronger, but only through
> > security-through-obscurity of having to crack the VPN, then knowing how
> > to configure your SIP client to talk through the VPN. Still, not
> > entirely secure.
> >
>
> I thought that TLS was documented, after all products like
> freeswitch.org support it, and the snom phones. If that is the case its
> not security by obscurity.
>
> TLS as I understand it can be configured to use certificates for
> authentication, which means that you would have to either break the
> ciphers used for the certificate or steal the certificate itself.
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 27 Jun 2010 22:54:58 -0300
> From: Calleasy BsAS <sisint2005 at hotmail.com>
> Subject: Re: [asterisk-biz] 87.230.80.186
> To: <asterisk-biz at lists.digium.com>, Calleasy <sisint2005 at hotmail.com>
> Message-ID: <BAY147-w32FDDC9728FE07BF6B1ADD2CA0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Dear friends, like someone said before me in the list : neither of both extrems could be pretty good!!
>
> one for dangerous the other for heavy dutty requeirements in maintenance for users changes...
>
>
>
> thus leave the system open with out Firewall+ IDS system this will be dangerous
>
> , or closing the firewall at all , if you needs to lead with users that will be travelling or changing from ip address , and need to use the same account from any IP, from anywhere.. then the users will be angry any timne that they can't make a call.
>
>
>
>
>
> So i think we must workaround the needs and search the mix that better serves to our purproses. many times the solution may seems something "out of good arts rules" or , but if it works with efficciency, and it is non expensive... then " ARE WELLCOME"
>
>
>
> VPNs routed end to end with VPN- Routers requeires some hardware that limits the mobile use and requeires more expensive hard, i.e. if i have my sip acocunt configured on my handheld using it with wifi behind a VPN router i can't to use it to make calls in a hotel or airpot or any wifi zones o hotspot, with the exception that this unit can run a vpn client too.
>
>
>
> on other hand, if i have a notebook, laptop or netbook using a softphone with TLS may be usefull, but a bunch of IP telephones, sofphones and gateway not support TLS , or many protocols , then it will depend on the user ....
>
>
>
> On my mind asking to my self, " some advice to follow?? " and the answer could be
>
>
>
> try using services that enable me to locate users from domains and at the same time define yours accoutns using it ... it may requieres aditional efforts to use them, but setting up the peers using host with DNS resolution , avoiding the resgiter use from users,may help
>
>
>
> host= my.domain
>
>
>
> What will be happen if the ip changes or the user hasn't your own domain??? askme again , and asnwer me:
>
>
>
>
>
> try this DDNS service like this :
>
>
>
> host=my.domain.in.prefer.ddns.service.
>
>
>
> may be helpull , any servers from popular ones, ( dyndns, no-ip, ...)
>
> it will requiere that the user can run at same time a DDNS client ( many router/ATAs/Gateways have embeded on them) and a softphone/SIP Client from same ip address,
>
> and the other end , on the PBX , also need reload the sip module each time that the ip changes , to reload the news ip from those domains, this must be so often like the client's ip changes...
>
>
>
> WHAT A CHEAP SOLUTION !!!
>
>
>
>
>
> this task for reload , could be MADE at fixed period of time , ie the same value that you usually speficiy in the expire options for registering , thus the "GAP " between the old ip and the new, has the same behavior if you customer changes th ip addres with out re-registering, ie an user using DHCP in you internet conection , that changes your ip adders and not restart your softphone or gateway., i means : the the incoming calls goes to old ip , until the client re-register orput an outgoing call.
>
>
>
>
>
> in the same way , for the inbound connections to the servers ( a PBX or any other server too) ,some similar can be made with iptables modules , it's quite simple, former set the policy to DENNY all connections and then enables just according ddns domains that you will accept ..
>
>
>
> iptables -P INPUT DROP
>
> iptables -I INPUT -s my.first.client,inddns.service -j ACCEPT
>
> iptables -I INPUT -s my.fsecond.client,in-other-ddns.service -j ACCEPT
>
>
>
> ( some specfication for ports and protocols may be added, i dont include in the example to make it easier )
>
>
>
> after made this, only the ip according to domains can connnect to server ,
>
> but at any time that the ips may change, you need to restart iptables services ,and the input filter will be refilled with the ips according that domains defined on DDNS service ....
>
>
>
> to restart this at regular frecuencies in "automatic mode", just need to enable this task in CRON service, also can be joined with the sip module reload to update the host definition in the peer/users/friend in the PBX , for that must need include any script that has this two lines for system excution
>
>
>
> sevrice iptables restart ( restarting iptables fedora /centos style other use init.rc services)
>
> asterisk -rx sip reload ( relaod the sip modules , renewing the domain definitios for peers , be carefull that your PBX systems must resolve using DNS service )
>
>
>
> and... that's all
>
>
>
> now can renew the ip that can connect with the server and also the host defined to make calls
>
>
>
>
>
> easy efecctive and cheap, may be other solution betters ,, yeap....so more expensive too
>
>
>
> Feel free to contact off the list.
>
> I hope that it can be helpfull.
>
>
>
> Marcos
>
> info at calleasy.com.ar
>
>
>
> _________________________________________________________________
> Ahora Hotmail es un 70% m?s r?pido. Para que chequear correos sea cada vez m?s f?cil. Ver m?s
> http://www.descubrehotmail.com/velocidad.asp
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20100627/be28aea1/attachment-0001.htm
>
> ------------------------------
>
> Message: 4
> Date: Mon, 28 Jun 2010 02:23:09 -0300
> From: Calleasy BsAS <sisint2005 at hotmail.com>
> Subject: Re: [asterisk-biz] 87.230.80.186
> To: <brett at voicefoxtelephony.com>, <asterisk-biz at lists.digium.com>
> Cc: Calleasy <sisint2005 at hotmail.com>
> Message-ID: <BAY147-w657111DB9FBE4C91BC3D4BD2CA0 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> Dear Brett
>
>
>
> Many thanks for your comment.
>
>
>
> any method that reads logs to detect a failrude auth , may be suitable , fail2ban make this
>
> or just reading files from logs directory ( register and messages files ). to know if were any intents refused and then block the src ip..
>
>
>
> with any script that works on this could be found the ip from where come the intents.
>
>
>
>
>
> cat \etc\asterisk\messages | grep Reg | grep @my.domian
>
>
>
> or
>
>
>
> cat \etc\asterisk\messages | grep Reg | grep my.ip.add.res
>
>
>
> processing it could be add the iip to the iptables ruiles for block...
>
>
>
>
>
>
>
> in this process, like ever , former we must chose the path to follow , from two possibles to implement .
>
>
>
> 1) closed netowroks , denny all , enables some host to connect. simple, not flexible, not suitbale continuous changing networks,
>
>
>
> 2) open networks, accept all , we must detect intrussion+ attacks and denny all ip for any attack detected o not trusted .. need much intelligence, resources and efforts to identify and blocks anything that seem dangerous
>
>
>
>
>
>
>
> this breif comment was aimed to help some guys that were tryiing to get works some iptables conf to avoid undesired conections.
>
>
>
> in short:
>
>
>
> YES...publics DDNS, have some delay to progress in refresh cache. there is no doubt about that.
>
>
>
>
>
> >From my own expeirencie I have dns server from own from fixed ip, but some PBXs from some customers are pointed trough ddns servers to my switch , using no-ip, and they are conected by cable modem with dhcp . when ip changes take a few minutes , yes , its a quite slow. but it's so SIMPLE, SO CHEAP and not requiere advanced acknowledgements, i think that is a suitable way to connect a some sip users that haven't a fixed ip , but this has some delay to update changes. it wiil be shure
>
>
>
> Better solution more efective and fast , could be make a kind of simple DDNS service running on your ouwn server, with any TCP client just need to open any TCP conection to your server reporting user and pass and then catching the source ip , ... it willbe automated version so fast , and reliable , but need more expertise like programming, beyond from them were asking about basic option form iptbales to avoid calls from undesired ips .
>
>
>
> Without go so for, ALSO CAN USE A FORM IN A HTTPS SERVER CONNECTION for something like loggin , THAT WILL START THE SCRIPT FOR RENEWING after send the form, the action started by the CGI just must include the same , the action for reload modules after renews ips
>
>
>
> yes, its no automatic , but really works too. fast and enable to get a cheap way to get closer TO a "closed network" , but in open ambient, because any user authenticate using in secure tuinnel tosend the usr and pss and with that update te ip for peer , but it will requiere user action ,
>
>
>
> like i said earlier
>
> All this is a mix, branded with less expensive options for bring up something to get better..
>
>
>
> Marcos
>
> Thanks again
>
>
>
>
>
>
>
>
>
>
>
> > From: brett at voicefoxtelephony.com
> > To: brett at voicefoxtelephony.com
> > Subject: Re: [asterisk-biz] 87.230.80.186
> > Date: Sun, 27 Jun 2010 21:15:02 -0500
> > CC: asterisk-biz at lists.digium.com; asterisk-biz at lists.digium.com; sisint2005 at hotmail.com
> >
> > Yow,
> > Sorry list for the trigger happy reply...
> >
> > What I was saying is that it's an interesting idea but I think DNS
> > caching will make it not really feasible.
> >
> > For me fail2ban + good passwords works as a really good system where a
> > VPN can't be used.
> >
> >
> > -Brett
> >
> > On Jun 27, 2010, at 9:10 PM, Brett Nemeroff
> > <brett at voicefoxtelephony.com> wrote:
> >
> > > Interesting idea, but I think DBS caching will make this not really
> > > usable.
> > >
> > >
> > > For me, fail2
> > >
> > >
> > >
> > > On Jun 27, 2010, at 8:54 PM, Calleasy BsAS <sisint2005 at hotmail.com>
> > > wrote:
> > >
> > >>
>
> _________________________________________________________________
> Ahora Hotmail es un 70% m?s r?pido. Para que chequear correos sea cada vez m?s f?cil. Ver m?s
> http://www.descubrehotmail.com/velocidad.asp
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20100628/9423d852/attachment.htm
>
> ------------------------------
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-biz
>
> End of asterisk-biz Digest, Vol 71, Issue 44
> ********************************************
_________________________________________________________________
Hotmail es seguridad y confianza. Con el Filtro Anti Spam mejorado protegés tu cuenta. Ver más
http://www.descubrehotmail.com/anti-spam.asp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20100628/ff8cd246/attachment-0001.htm
More information about the asterisk-biz
mailing list