[asterisk-users] How to stop intruder from registering sip?
Tilghman Lesher
tlesher at digium.com
Sun Jun 13 14:17:59 CDT 2010
On Sunday 13 June 2010 13:46:36 Tzafrir Cohen wrote:
> On Sun, Jun 13, 2010 at 10:59:43AM -0700, Dave Platt wrote:
> > The O.P. seems to have made two (fairly common) mistakes:
>
> [snip]
>
> > - Used the user's extension number as the SIP user ID... and
> > thus making it easy to figure out which user IDs on which a
> > password attack could be carried out.
>
> Sadly this is something that FreePBX (and probably other systems) force
> you to do.
>
> One other minor nit:
> > One of your best tools is a program or script to generate
> > random sequences of letters and digits and other legal-
> > in-SIP-names characters. Try something like
> >
> > dd if=/dev/urandom bs=512 count=1 | base64
> >
> > and then copy some 10- or 12-character substrings out of this
> > mass of gibberish and use 'em for SIP secrets. With this many
> > bits of randomness in the secrets, they'll be effectively
> > invulnerable to guessing or brute force attacks.
>
> Ahem. If you only want that many characters, just get less random bits.
>
> This will get you 128 (16 * 8) [pseudo?]random bits:
>
> head /dev/urandom -c 16 | base64
I would generally suggest something a little more deterministic (where
101 is your extension):
$ echo '101This is a salt' | sha1sum
22c3c098bfc2289396af84ecfb1ab77419a6537e
Pick your salt to be unique per site, guard the salt jealously, and you'll be
fine.
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list