[asterisk-users] Security - What inbound variables can attackers populate or use when calling?

jwexler at mail.usa.com jwexler at mail.usa.com
Fri Aug 6 22:53:21 CDT 2010 

Well, I'm not sure actually. I was attacked in June by someone who racked up
between $800 and $900 in international calls to places in the middle of
Africa, Korea, etc. So, I am motivated to secure this. I have made it much
much more secure, definitely, but am looking for as many ways to further
lock this down as possible.

 

I figure that I should filter every field that someone could possible
interact with Asterisk in case they send characters that might breach
security and allow them some kind of access. Symbols like the amperstand
(&), comma (,), forward slash (/), at (@), pipe (|), etc. I would guess
could be bad.

 

Someone from Amsterdam was trying to register yesterday using an automated
program which tried roughly 1,000 or so username password combinations
before I shut asterisk down and added his/her ip to iptables to drop it. I
wonder if I can configure the system to automatically detect such an attack
in progress (e.g., a 1,000+ registration failures from the same ip is an
'attack') and the ip's to iptables, hosts.deny, etc. on the fly. That might
be another topic I guess?

 

This experience has emphasized the importance of securing the system and
security in asterisk in general.

 

Any insight on this would be really appreciated!

 

Thanks!!

 

From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mike mosier
Sent: Saturday, August 07, 2010 11:52 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Security - What inbound variables can
attackers populate or use when calling?

 

What kind of attack can they reform calling in?

On Aug 6, 2010 1:12 AM, <jwexler at mail.usa.com> wrote:
> I am setting filters, etc. on variables that attackers can send asterisk
> when they call (for example when they initially call into asterisk).
> 
> So far, I am filtering:
> 
> exten
> 
> CALLERID(name)
> 
> CALLERID(num)
> 
> 
> 
> What other fields or variables would an attacker be able to use in the
> packets that they send when placing the call to asterisk?
> 
> 
> 
> Further, I am assuming that in the case that an attacker, first, simply
> dials in normally and then after reaching voice prompts or other, starts
> his/her attack, then all I need to filter in that case is exten. Anything
> else here as well?
> 
> 
> 
> Thanks!!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100807/74de97c1/attachment.htm

More information about the asterisk-users mailing list