[asterisk-bugs] [JIRA] (ASTERISK-20722) Preventing Password attacks
Ron Wheeler (JIRA)
noreply at issues.asterisk.org
Sat Nov 24 16:27:45 CST 2012
[ https://issues.asterisk.org/jira/browse/ASTERISK-20722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=200028#comment-200028 ]
Ron Wheeler commented on ASTERISK-20722:
----------------------------------------
I had to install fail2ban which was a bit of a PITA but does seem to work.
It would have been lot easier to just set the delay to reasonable delay 5-60 minutes ;-) since no one should ever have a bad password, in my case.
Thanks for your quick response I will make the request through the mailing list.
I did a bit of Googling before I submitted this and the ability to flood asterisk with password probes seems to widely reported as a security deficiency in Asterisk.
Thanks again
Ron
> Preventing Password attacks
> ---------------------------
>
> Key: ASTERISK-20722
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20722
> Project: Asterisk
> Issue Type: Improvement
> Security Level: None
> Components: Channels/chan_sip/Security Framework
> Affects Versions: 10.8.0
> Environment: All
> Reporter: Ron Wheeler
>
> When someone tries to attack a SIP account Asterisk helps them out by responding quickly.
> When an asterisk systm is attacked by applying random passwords, it would be good to be able to slow the attacker down by specifying a high number oof milliseconds to respond to a wrong password or username.
> This would at least slow it down and eventually they would go away.
> No one with a valid password would be affected and it should be easy to do.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list