[asterisk-dev] Summary: SIP, NAT, security concerns, oh my!

Walter Doekes walter+asterisk-dev at osso.nl
Wed Nov 9 03:08:40 CST 2011


On 09/11/11 08:00, Terry Wilson wrote:
>> How about an *option* that will allow for NO RESPONSE at all if all
>> authentications fail? This would make Asterisk the most secure because
>> then the server won't announce what it's running so the hackers will
>> move on when they don't hear a response back. DDoS will be a thing of
>> past if they can't establish that there is an Asterisk server. As an
>> option in sip.conf this can be set to OFF by default but can be turned
>> on if the user wants to set it to ON. So, at times of debugging the
>> system, one can set this to NO and other times keep it to YES so
>> outsiders are not told that we are running an Asterisk server. This
>> adds a very unique layer to security to the system.
>
> SIP devices do not generally send any authentication information on the first request in a dialog. They send a request with no auth info, get a challenge, and then send a new transaction with their credentials. Considering it is the initial challenge for requesting that the client sends auth info in first place that we are talking about, your suggestion wouldn't be possible for most setups.

Well actually, if you use peer matching (ip+port) only, this could be 
implemented. Authentication info for the REGISTER is in the majority of 
cases contained in the username. While the authentication username could 
technically be different from the registering username, this is never 
the case with asterisk (or is it?). This means that the initial REGISTER 
packet does include the authenticating username.

Method REGISTER? No known username in the From/To? => No answer.
Method anything else? Not from a known IP+port? => No answer.

Now, I'm not diving into any coding efforts immediately, but I think it 
could certainly be possible and even usable for many setups.


Walter



More information about the asterisk-dev mailing list