[asterisk-dev] Summary: SIP, NAT, security concerns, oh my!
twilson at digium.com
Wed Nov 9 01:00:30 CST 2011
> How about an *option* that will allow for NO RESPONSE at all if all
> authentications fail? This would make Asterisk the most secure because
> then the server won't announce what it's running so the hackers will
> move on when they don't hear a response back. DDoS will be a thing of
> past if they can't establish that there is an Asterisk server. As an
> option in sip.conf this can be set to OFF by default but can be turned
> on if the user wants to set it to ON. So, at times of debugging the
> system, one can set this to NO and other times keep it to YES so
> outsiders are not told that we are running an Asterisk server. This
> adds a very unique layer to security to the system.
SIP devices do not generally send any authentication information on the first request in a dialog. They send a request with no auth info, get a challenge, and then send a new transaction with their credentials. Considering it is the initial challenge for requesting that the client sends auth info in first place that we are talking about, your suggestion wouldn't be possible for most setups.
More information about the asterisk-dev