[asterisk-users] Better SIP security please! Was: (no subject)
Philipp von Klitzing
klitzing at pool.informatik.rwth-aachen.de
Thu Mar 18 21:41:11 CDT 2010
Hey hey!
> > My first step will be to strengthen the passwords in use, and for the
> > hardphones to restrict by IP address, but that still leaves the
> > softphone quite widely open.
>
> Asterisk doesn't differentiate between a hard phone and a soft phone.
Although: One could think about enhancing Asterisk security by allowing
only a (number of) specific SIP user agent header (vendor, model) for a
SIP account - next to a strong password, of course. Or implement
something more dynamic like: Read and lock the current (or first) user
agent string, and then ping the admin if that changes and request an un-
lock/re-auth.
> > Does Asterisk 1.6 have anything in it that can automatically block out
> > an attacking IP, say if it receives several 20 or so failed attempts
> > from that IP in x minutes?
It would still be important to have a sip.conf paramter in 1.4 that is
similar to "delayreject" in iax.conf! One of my system has been scanned
3 times in the past days, and it takes just a little over a minute for a
10.000 account registration scan.
Philipp
More information about the asterisk-users
mailing list