[asterisk-users] SECURITY QUESTION & SANITY CHECK

Karl Fife asterisk-users at kfife.mailworks.org
Sun Aug 24 14:17:47 CDT 2008


SECURITY QUESTION & SANITY CHECK:
If only my SIP ports and a small range of RTP ports are facing the
public internet, what is the method by which an evildoer would be able
to do fraudulent long distance on my nickel?  

Would it REALLY be as simple as guessing the credentials for ANY of my
local sip endpoints?  Like most people, my local endpoint credentials
would be easy to guess: 
Username is often just an extension number (101,2,3 etc), 
passwords are often found in the "top 2000 common passwords list" and
more often in the few hundred thousand canonical words.  

I THINK the answer is YES, absolutely--Karl, go harden your
installation!

WHAT ARE BEST PRACTICES? PLEASE CRITIQUE!
I think that one should at least:
   1-use STRONG, random SIP passwords.  Are these sent clear text across
   the internet?  
   2-Where possible one should not use auth names that match the
   extension number?
   ??? - please advise.

I think one may want to:
   3-Run IDS/IPS on their router.
   ??? - please advise.

Without getting into the complexities of multi-homed, interface-specific
bindings etc, are there additional precautions I should be taking?  

For example I tried to block registrations from other subnets as
follows:
[general]
...
deny=0.0.0.0/0.0.0.0                  ;deny all by default?
permit=10.1.0.0/255.255.0.0           ;allow registrations from local
subnet? 

But this seems to have no effect.  Of course I may NOT have wanted its
'effect' if its effect would be to deny ALL SIP traffic from ALL places
including my ITSP's and guest SIP URI invites.  Obviously I ONLY want to
disallow foreign REGISTRATIONS (from other subnets) while preserving
inbound calls from ANYONE.  Is there a way to do that without an SBC?

For crude IPS/IDS is there an Asterisk method to blacklist registrations
from a specific IP address after a certain number of failed registration
attempts, or would I need an SBC or IDS/IPS for that?

Thanks in advance to anyone takes a moment do a brain-dump on this
topic!


-Karl




More information about the asterisk-users mailing list