[asterisk-bugs] [JIRA] (ASTERISK-20722) Preventing Password attacks

[Ron Wheeler (JIRA)]

    [ https://issues.asterisk.org/jira/browse/ASTERISK-20722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=200028#comment-200028 ] 

Ron Wheeler commented on ASTERISK-20722:
----------------------------------------

I had to install fail2ban which was a bit of a PITA but does seem to work.
It would have been lot easier to just set the delay to reasonable delay 5-60 minutes ;-) since no one should ever have a bad password, in my case.
Thanks for your quick response I will make the request through the mailing list.
I did a bit of Googling before I submitted this and the ability to flood asterisk with password probes seems to widely reported as a security deficiency in Asterisk.
Thanks again
Ron

                
> Preventing Password attacks
> ---------------------------
>
>                 Key: ASTERISK-20722
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20722
>             Project: Asterisk
>          Issue Type: Improvement
>      Security Level: None
>          Components: Channels/chan_sip/Security Framework
>    Affects Versions: 10.8.0
>         Environment: All
>            Reporter: Ron Wheeler
>
> When someone tries to attack a SIP account Asterisk helps them out by responding quickly.
> When an asterisk systm is attacked by applying random passwords, it would be good to be able to slow the attacker down by specifying a high number oof milliseconds to respond to a wrong password or username.
> This would at least slow it down and eventually they would go away.
> No one with a valid password would be affected and it should be easy to do.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira