[asterisk-users] Better SIP security please! Was: (no subject)

Thu Mar 18 22:05:41 CDT 2010

Philipp, remembering sip user agent is a wondeful idea, and if you goggle
it, somebody had made a patch for it, so that one could identify sip devices
by their sip user agent names. Surprisingly the decision makers didn't like
to put it in the production branch of asterisk at that time, however it is
still avialble online somewhere as a patch for older releases of asterisk. I
came across it when hackers where attacking my server on constant basis. I
however ended up writing a security code within the dialplan to catch the
sip user agent fields and ip addresses and compare them with info in the
actual user database, which worked good for me. Here the only problem could
be with change of sip user agent info, e.g. x-lite puts version number in
sip user agent field, which changes as you upgrade it to newer versions. A
relatively more complicated code probably will however recognize it. And a
hacker can always send a fake sip user agent field if he is really desparate
to hack your server, which can also be caught using fail2ban.

On 2010-03-18 10:45 PM, "Philipp von Klitzing" <
klitzing at pool.informatik.rwth-aachen.de> wrote:

Hey hey!

> > My first step will be to strengthen the passwords in use, and for the
> > hardphones to restrict by IP address, but that still leaves the
> > softphone quite widely open.
>
> Asterisk doesn't differentiate between a hard phone and a soft phone.

Although: One could think about enhancing Asterisk security by allowing
only a (number of) specific SIP user agent header (vendor, model) for a
SIP account - next to a strong password, of course. Or implement
something more dynamic like: Read and lock the current (or first) user
agent string, and then ping the admin if that changes and request an un-
lock/re-auth.

> > Does Asterisk 1.6 have anything in it that can automatically block out
> > an attacking IP, say if it receives several 20 or so failed attempts
> > from that IP in x minutes?

It would still be important to have a sip.conf paramter in 1.4 that is
similar to "delayreject" in iax.conf! One of my system has been scanned
3 times in the past days, and it takes just a little over a minute for a
10.000 account registration scan.

Philipp

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100318/7abdc607/attachment.htm 