[asterisk-users] Security Against brute force attack

Rasmus Männa asterisk at razu.pri.ee
Wed Nov 18 17:46:13 CST 2009 

Hi All,

I must say that there are many ways to detect password attack cause this
information actually goes into logs and it's possible to analyze them.
Couple of hours thinking + day or 2 creating gives a really nice result.
Bad thing is that by the time someone will start guessing password with
dictionary attack or brute force (it doesn't matter) he already knows
what is the account name/ID.

All this leads me to question which is (from my point of view) a bit
more important. Is there any way to detect SIP/IAX account guessing
without actually dumping UDP flow ? I tried some _hacking_ tools and
these create only some logs in debug mode. Using debug is not always an
option cause in some cases it creates ~5MB log in a minute - such flow
is quite impossible to handle.

Does anyone have any experience catching account guessing attempts
automatically ? Any kind of ideas would be wonderful :)

thx a lot,
--
razu

On 11/18/2009 10:01 PM, Ioan Indreias wrote:
> Hello Xavier,
>
> Unfortunately we are not aware of any Asterisk configuration which
> will protect against of a brute force attack on SIP. 
>
> We use BFD - http://www.rfxn.com/projects/brute-force-detection/ .
>
> We have found first details here: http://engineertim.com/?cat=15 and
> we are currently maintaining 4 rules (SIP and IAX) . All of them could
> be downloaded from
> here: http://www.modulo.ro/Modulo/downloads/tools/tenora.bfd.tar.gz
>
> We have tried to document the installation of BFD on an Asterisk
> server
> here: http://www.modulo.ro/Modulo/ro/Articole/Securitate_pentru_servere_Asterisk.html (in
> Romanian)
>
>
> HTH,
> Ioan (Nini) Indreias
> www.modulo.ro <http://www.modulo.ro>
>
>
> On Mon, Nov 16, 2009 at 7:24 PM, TDF <aja101561 at gmail.com
> <mailto:aja101561 at gmail.com>> wrote:
>
>     fail2ban
>
>     http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk
>
>
>     2009/11/16 Xavier Mesquida <xavimes at yahoo.com
>     <mailto:xavimes at yahoo.com>>
>
>         Has Asterisk any protection against brute force attack for SIP
>         authentication?
>         Something like a maximum login attempt limit
>         Thanks
>
>
>
>
>     _______________________________________________
>     -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
>     asterisk-users mailing list
>     To UNSUBSCRIBE or update options visit:
>       http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20091119/5d08c168/attachment.htm

More information about the asterisk-users mailing list