[asterisk-users] How to stop intruder from registering sip?

[Dave Platt]

> As I mentioned, I'm not inclined to mess with the secrets, too much 
> hassle for users. 

I'm afraid that I have to consider that attitude to be a bit like
saying "It's too much hassle for us to insist that our employees
lock their desk drawers and the front door... or wash their
hands after going to the bathroom... or cover their mouths when
they sneeze.  Oh, yeah, we keep the combination to the corporate
safe on a yellow sticky-note on the bulletin board, so that anyone
who forgets it can figure it out quickly."

There are ways to make stronger secrets easier to work with.
One method creates secret phrases by concatenating a bunch
of randomly-chosen dictionary words.  If you have enough
such words in the dictionary you can create phrases which have
enough randomness to survive brute-force attacks but which
aren't too difficult to type in correctly.  For example, such
a gibberish-generator might output

	fizzy.basal.nerfy.dogma.colma.flinx

It's your choice... but these basic security principles about
setting secrets/passwords have the fruits of many peoples'
expen$ive experience at the high cost of *not* doing things
properly.

If the cost of doing things securely is that you have to spend
a few minutes of IT-guru time setting up each user's phone
or softphone, or need to write a document-generator which
prints out step-by-step instructions for each user with the
necessary user-name and secret included... it could be a
*very* good investment.


> That's why I'm considering deny/permit.

> Does that solve my problem?

*Only* if you have complete physical control over *every*
network on which those phones will be used, *and* all of
your employees are completely trustworthy.

It's really no solution at all if you need to have "road warriors"
using soft-phones on networks across the world, since you won't
be able to deny IP addresses meaningfully in that case.  All it
would take would be one such employee using a softphone via an
insecure network (e.g. open WiFi access point), somebody sniffs
the protocol and sees the registration and records the extension
number and then does a brute-force secret-guessing attack.  Boom.
You're out hundreds or thousands of dollars of calling costs before
you can react.  Scammers can use your SIP system to make calls to
"premium" phone numbers that cost several dollars per minute... and
the scammer may well get a portion of this revenue.

Big companies have ended up losing tens of thousands of dollars
to this sort of attack against their PBX systems.

Or, worse... your SIP secrets end up in the hands of a cybergang
which starts using your system for criminal activities (e.g.
drug-trafficing, making scam calls to homeowners, etc.), and
you find your company facing investigation by law enforcement,
or your SIP provider cuts you off due to abuse complaints.  The
secondary cost of either of these to your business could be
severe.

As Dirty Harry said, "How lucky do you feel?".  You've already
been hit once.

> But I'm struck with your notion of having sip user ids different from 
> extensions. That would not require any user effort, or messing with each 
> phone. But...
> 
> We use a combo of aastra 9133i and 57i's. Don't the user id and the 
> extension HAVE to be the same? I had thought the aastra's used the 
> extension as the SIP id to register.

By no means - at least, not in the 9133i, and I'd be surprised if
the 57i had that requirement.

Look in the Administration manual for the 9133i, Appendix A,
"SIP Basic, Global Settings", "SIP Global Authentication".
This is where you can set the "authentication name" and
"sip password", which are what the phone uses to register with
the server (e.g. the SIP user name and secret).  Make this name
*different* from the extension name, and provide a good secret.

You can also set the "SIP display name", which is what
shows up on the screen, and is sent as the "From" field
in the SIP protocol.  You can set this to the user's primary
extension number.

A bit further down, there are per-line registration fields
which do the same thing for individual line-presence
buttons... screen name (also used for From:), user name
(for SIP registration), password (SIP registration secret).