[asterisk-users] Securing Asterisk and your network
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Fri Jun 13 12:43:44 CDT 2008
On Fri, Jun 13, 2008 at 11:51:35AM -0400, Jay R. Ashworth wrote:
> On Thu, Jun 12, 2008 at 11:09:43PM +0300, Tzafrir Cohen wrote:
> > > Additionally, you should install a brute-force-attack blocker:
> > >
> > > http://www.la-samhna.de/library/brutessh.html
> >
> > This is effectively another service listening. It is also a method for
> > an attacker to lock you out of the system.
> >
> > See, for instance, http://www.ossec.net/en/attacking-loganalysis.html .
>
> Sure; all in-band methods suffer from the possibility of becoming DoS
> vectors. And yes, the fact that sshd doesn't quote that argument as it
> drops it into the syslog, making it easier to see bogusness, is a bad
> thing. But those log lines wouldn't fool *me*.
>
> And if they fool your log analysis system, then it's regexes aren't
> written tightly enough.
Aparantly, getting the regex right is a bit trickier than people think.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6302
So getting this regex right is probably a bit tricky.
>
> And, back on point, that particular sshblocker doesn't give a damn what
> sshd writes in the syslog.
>
> And, no, it's actually not another service listening.
It responds to external output. I can trigger it to run whenever I want.
Pretty close to a "service".
Consider e.g. a spam filter used by a mail server. It might just as well
have such remotely-exploitable security holes, if badly written. And the
attacker does not even need direct access to the system running the spam
filter.
Or Asterisk handling proxied SIP/IAX traffic.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-users
mailing list