[asterisk-users] Securing Asterisk - How to avoid sending, "SIP/2.0 603 Declined"
Alex Balashov
abalashov at evaristesys.com
Fri Jul 22 21:18:23 CDT 2011
On 07/22/2011 10:11 PM, Bruce B wrote:
> Vast number of scattered users all over the globe. I hate to think
> there is no way to not announce ourselves as a SIP server to
> un-trusted users.
Not easily. This is a problem all service providers have to deal with,
and so do you. You have to have your SIP services open to the world,
but they don't necessarily need to be easy to DoS or dictionary scan.
Intra-industrially, the solution is usually some form of SBC or other
administrative border/edge security element. In the open-source world,
a lot of the steeling, rate-limiting, etc. can be done with
OpenSER/Kamailio/OpenSIPS.
(Shameless plug: That's what we do all day commercially.)
A common strategy is to use a non-standard SIP port ('bindport' in
sip.conf). No, it doesn't stop all scans, but in our experience, it
will stop a good 95%+ of them. When almost everyone does use the
standard SIP port, and thus there are so many low-hanging targets, it's
not worth bothering with a full ~65k UDP port scan. Certainly, the
average SIPvicious scanner won't bother with anything but 5060.
> Or is there something else that can be done with the firewall to all
> "dynamic" trust IPs and drop packets from unregistered sources?
That raises an interesting question:
How do the users register to begin with, if their REGISTER requests
won't be processed unless their IP is already known to be a registrant?
:-)
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-users
mailing list