[asterisk-users] How to stop intruder from registering sip?

Dave Platt dplatt at radagast.org
Sun Jun 13 12:59:43 CDT 2010 

> If you leave your asterisk box open to the world with passwords like 0000
> you deserve to be hacked..

Well, without making a moral judgment, I will agree that you are *going*
to be hacked if you do this!

The O.P. seems to have made two (fairly common) mistakes:

-  Used a "secret" so obvious that it could be guessed... and
   even if not, so short that it could have been determined by
   a very simple brute-force attack.

-  Used the user's extension number as the SIP user ID... and
   thus making it easy to figure out which user IDs on which a
   password attack could be carried out.

Doing a brute-force SIP-registration attack against all
possible 3- and 4-digit extensions, using a handful of
obvious "secret" strings (0000 through 9999, 1234, 4321,
same number as the extension) wouldn't take an attacker
very long at all.  Nor would trying to call all of these
numbers once to figure out which extensions exist, then doing
a brute-force password attack against those which exist.  I
have no doubt that there are numerous crackers out on the
net doing just these sorts of attacks on a regular basis.

The cure for these problems is, obviously, "don't do that":

(1) SIP user IDs should not be based on the extension number,
    and preferably should not be based on the owner's name
    or user login.  Make 'em hard to guess or brute-force!

(2) Make the secrets equally hard to guess or brute-force.
    No short strings of numbers, no dictionary words or
    simple leet-speak transforms of them, etc.

One of your best tools is a program or script to generate
random sequences of letters and digits and other legal-
in-SIP-names characters.  Try something like

   dd if=/dev/urandom bs=512 count=1 | base64

and then copy some 10- or 12-character substrings out of this
mass of gibberish and use 'em for SIP secrets.  With this many
bits of randomness in the secrets, they'll be effectively
invulnerable to guessing or brute force attacks.

> Are your travelling people using softphones? If they are VPN would be a good
> idea..

A very good idea, and not just for security reasons.  Running SIP over
a VPN tunnel can be a very effective remedy for all sorts
of firewall- and NAT-related problems.

I've found that running OpenVPN between my various SIP clients,
and my Asterisk server, produces far better results than depending
on STUN or on SIP-aware routers and firewalls.

More information about the asterisk-users mailing list