[asterisk-users] How to stop intruder from registering sip?

sean darcy seandarcy2 at gmail.com
Sun Jun 13 15:06:52 CDT 2010 

On 06/13/2010 01:59 PM, Dave Platt wrote:
>> If you leave your asterisk box open to the world with passwords like 0000
>> you deserve to be hacked..
>
> Well, without making a moral judgment, I will agree that you are *going*
> to be hacked if you do this!
>
> The O.P. seems to have made two (fairly common) mistakes:
>
> -  Used a "secret" so obvious that it could be guessed... and
>     even if not, so short that it could have been determined by
>     a very simple brute-force attack.
>
> -  Used the user's extension number as the SIP user ID... and
>     thus making it easy to figure out which user IDs on which a
>     password attack could be carried out.
>
> Doing a brute-force SIP-registration attack against all
> possible 3- and 4-digit extensions, using a handful of
> obvious "secret" strings (0000 through 9999, 1234, 4321,
> same number as the extension) wouldn't take an attacker
> very long at all.  Nor would trying to call all of these
> numbers once to figure out which extensions exist, then doing
> a brute-force password attack against those which exist.  I
> have no doubt that there are numerous crackers out on the
> net doing just these sorts of attacks on a regular basis.
>
> The cure for these problems is, obviously, "don't do that":
>
> (1) SIP user IDs should not be based on the extension number,
>      and preferably should not be based on the owner's name
>      or user login.  Make 'em hard to guess or brute-force!
>
> (2) Make the secrets equally hard to guess or brute-force.
>      No short strings of numbers, no dictionary words or
>      simple leet-speak transforms of them, etc.
>
> One of your best tools is a program or script to generate
> random sequences of letters and digits and other legal-
> in-SIP-names characters.  Try something like
>
>     dd if=/dev/urandom bs=512 count=1 | base64
>
> and then copy some 10- or 12-character substrings out of this
> mass of gibberish and use 'em for SIP secrets.  With this many
> bits of randomness in the secrets, they'll be effectively
> invulnerable to guessing or brute force attacks.
>
>> Are your travelling people using softphones? If they are VPN would be a good
>> idea..
>
> A very good idea, and not just for security reasons.  Running SIP over
> a VPN tunnel can be a very effective remedy for all sorts
> of firewall- and NAT-related problems.
>
> I've found that running OpenVPN between my various SIP clients,
> and my Asterisk server, produces far better results than depending
> on STUN or on SIP-aware routers and firewalls.
>

Thanks for not suggesting I ponder my sins!

As I mentioned, I'm not inclined to mess with the secrets, too much 
hassle for users. That's why I'm considering deny/permit.

Does that solve my problem?

But I'm struck with your notion of having sip user ids different from 
extensions. That would not require any user effort, or messing with each 
phone. But...

We use a combo of aastra 9133i and 57i's. Don't the user id and the 
extension HAVE to be the same? I had thought the aastra's used the 
extension as the SIP id to register.

sean

More information about the asterisk-users mailing list