[asterisk-users] Is there a public blacklist of hackers' IPaddresses?

Dave Platt dplatt at radagast.org
Thu Mar 26 15:41:08 CDT 2009


> SIP was written in such a way that the hashes it sends for passwords
> could, with only a trivial rewrite of the server code, be SHA1 instead
> of MD5 -- which would increase security to the level that, currently, it
> would be far more trouble than it's worth to even bother to attempt to
> crack.

I strongly doubt that the known weaknesses in the MD5 hash are
the "weak point" in SIP account security.

Weak passwords are almost certainly much more of a problem.  Performing
a dictionary attack is going to be a lot faster than attempting
a brute-force mathematical attack against MD5... and switching from
MD5 to SHA-1 provides no significant defense against dictionary
attacks.

The only good way to keep passwords secure against dictionary attacks,
is to make sure that the passwords aren't guessable by that means...
no common words, no names, no simple permutations or birthdates or
anything like that.  Use a decent random-number generator and
number-to-character conversion algorithm to generate SIP passwords
that are sufficiently long and very DTR8FBWF_==F?Z@\.-+!N$ and you'll
be well defended.





More information about the asterisk-users mailing list