[asterisk-users] Securing Asterisk

C F shmaltz at gmail.com
Sat Jul 23 22:39:43 CDT 2011 

On Sat, Jul 23, 2011 at 1:38 PM, CDR <venefax at gmail.com> wrote:
> I beg to differ. Digium is hiding from the real world and somebody is

Because you have no clue how to secure a box its someone elses fault?

> going take the software and run with it. My customers lost in excess
> of $50.000 and cut my pay in half, because of hackers. The hackers

You deserved being fired all together. It was YOUR fault they hacked it.

> figured out how to scan every asterisk for weak passwords or open
> ports, and bang them real good. We need two things: a) disable in
> sip.conf the reply for INVITES that have wrong user information, and
> also, b) disable any response to any REGISTER packet altogether. Can
> somebody please write  patch? Or should we go broke trying to stop the
> flood of criminals coming from abroad?
> Federico
>
> On Sat, Jul 23, 2011 at 1:00 PM,
> <asterisk-users-request at lists.digium.com> wrote:
>> Send asterisk-users mailing list submissions to
>>        asterisk-users at lists.digium.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>        http://lists.digium.com/mailman/listinfo/asterisk-users
>> or, via email, send a message with subject or body 'help' to
>>        asterisk-users-request at lists.digium.com
>>
>> You can reach the person managing the list at
>>        asterisk-users-owner at lists.digium.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of asterisk-users digest..."
>>
>>
>> Today's Topics:
>>
>>   1. Re: use dahdi for local terminal modem access? (Lyle Giese)
>>   2. dialplan pattern help (Armand Fumal)
>>   3. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603
>>      Declined" (Patrick Lists)
>>   4. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603
>>      Declined" (Paul Belanger)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Sat, 23 Jul 2011 09:29:26 -0500
>> From: Lyle Giese <lyle at lcrcomputer.net>
>> Subject: Re: [asterisk-users] use dahdi for local terminal modem
>>        access?
>> To: asterisk-users at lists.digium.com
>> Message-ID: <4E2ADAC6.4010101 at lcrcomputer.net>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>>
>> On 07/22/11 22:47, William Stillwell wrote:
>>> Um, no VOIP involved here.
>>
>> Wrong.  What do you think Asterisk is?  Chopped meat?  It's a VoIP
>> switch.  All traffic inside Asterisk is VoIP.
>>
>>>
>>> I have an asterisk server with 2 23B+D PRI's
>>>
>>> I want to telnet/ssh into the asterisk server, and make an outbound call
>>> serial based modem/terminal connection (Like the 80/90's BBS Days).
>>>
>>> No TCP/IP or PPP or crazyness
>>>
>>> (ie, dialing into a Modem set to AA hooked to a Cisco Console Port)
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
>>>> bounces at lists.digium.com] On Behalf Of Lyle Giese
>>>> Sent: Friday, July 22, 2011 8:07 PM
>>>> To: asterisk-users at lists.digium.com
>>>> Subject: Re: [asterisk-users] use dahdi for local terminal modem
>>>> access?
>>>>
>>>> On 07/22/11 18:13, William Stillwell wrote:
>>>>> I have some terminals that have phone lines.
>>>>>
>>>>> One of my tech had an idea of using IAXmodem or something similar to
>>>> use
>>>>> existing PRI/DAHDI Trucks for dial out via the asterisk/Linux
>>>> console.
>>>>>
>>>>> Anybody ever heard of doing this?
>>>>>
>>>>> I would think maybe would use iaxmodem maybe and a shell terminal
>>>> app?
>>>>>
>>>>> (basically I'm dialing into a remote access device that uses a pots
>>>> like
>>>>> for remote administration, and don't want to string a channel bank
>>>> off
>>>>> my asterisk box, and a hook to a modem)
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>
>>>> Depends on your expectation.  Because of compression in the codecs, it
>>>> will be hard to get fast dialup.  If you mean ssh or telnet, it might
>>>> work.  If you mean vnc or RDP over this, you may not get enough usable
>>>> bandwidth to do that.
>>>>
>>>> Given this, I have in an emergency dialed into a RAS server via a VoIP
>>>> line. My laptop connected at 14,400bps.  All I needed to do was telnet
>>>> into an APC masterswitch to toggle power on one outlet.  It worked.
>>>>
>>>> I was surprised at getting a 14,400bps connect.  I was not expecting
>>>> that high and really did not need that high.  300 baud probably would
>>>> have been fast enough to telnet into an APC masterswitch.
>>>>
>>>> Lyle Giese
>>>> LCR Computer Services, Inc.
>>>>
>>>> --
>>>> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>>                 http://www.asterisk.org/hello
>>>>
>>>> asterisk-users mailing list
>>>> To UNSUBSCRIBE or update options visit:
>>>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>>>
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>                 http://www.asterisk.org/hello
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Sat, 23 Jul 2011 14:30:42 +0000
>> From: Armand Fumal <af at cybernet.lu>
>> Subject: [asterisk-users] dialplan pattern help
>> To: "asterisk-users at lists.digium.com"
>>        <asterisk-users at lists.digium.com>
>> Message-ID:
>>        <2584E1ABC3629C4D85A61B8DC4D27297096F1432 at EXCHANGELU.lu.cybernet.local>
>>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> Hi all,
>>
>> I need help for make a pattern for a special case that i can't find the solution.
>>
>> In my case I want to match these in one pattern:
>>
>> This is the same ext that can come in 4 cases
>>
>> exten => _42704701,1,Macro(dialfax,${EXTEN:-8})         ; case with 42704701
>> exten => _X42704701,1,Macro(dialfax,${EXTEN:-8})                ; case with 042704701
>> exten => _XXXX42704701,1,Macro(dialfax,${EXTEN:-8})     ; case with +3242704701
>> exten => _XXX42704701,1,Macro(dialfax,${EXTEN:-8})              ; case with 3242704701
>>
>> I have try _.42704701 but the parser stop to check after the point "."    :-(
>>
>> So did you have any suggestion ?
>>
>> Regards
>>
>> Armand Fumal
>>
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Sat, 23 Jul 2011 17:48:44 +0200
>> From: Patrick Lists <asterisk-list at puzzled.xs4all.nl>
>> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid
>>        sending, "SIP/2.0 603 Declined"
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>>        <asterisk-users at lists.digium.com>
>> Message-ID: <4E2AED5C.9080901 at puzzled.xs4all.nl>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> On 07/23/2011 04:00 PM, Paul Belanger wrote:
>>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488
>>> (Not Acceptable Here) response. Such a response SHOULD include a
>>> Warning header field value explaining why the offer was rejected.
>>
>> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC
>> created by people who had no appreciation for the rather ugly world out
>> there then why not throw the RFC out of the window and *not* reject an
>> invite with a 488? It sounds like an interesting option to add to
>> "10"/trunk. Better secure than compliant & sorry. Why not do a little
>> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their
>> interpretation of SIP.
>>
>> Regards,
>> Patrick
>>
>>
>>
>> ------------------------------
>>
>> Message: 4
>> Date: Sat, 23 Jul 2011 12:07:49 -0400
>> From: Paul Belanger <pabelanger at digium.com>
>> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid
>>        sending, "SIP/2.0 603 Declined"
>> To: asterisk-users at lists.digium.com
>> Message-ID: <4E2AF1D5.80305 at digium.com>
>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>>
>> On 11-07-23 11:48 AM, Patrick Lists wrote:
>>> On 07/23/2011 04:00 PM, Paul Belanger wrote:
>>>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488
>>>> (Not Acceptable Here) response. Such a response SHOULD include a
>>>> Warning header field value explaining why the offer was rejected.
>>>
>>> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC
>>> created by people who had no appreciation for the rather ugly world out
>>> there then why not throw the RFC out of the window and *not* reject an
>>> invite with a 488? It sounds like an interesting option to add to
>>> "10"/trunk. Better secure than compliant & sorry. Why not do a little
>>> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their
>>> interpretation of SIP.
>>>
>> Personally, I don't see this as a solutions.  SIP already provides some
>> ability to help with security (EG: TLS, SRTP) however that is basically
>> the extent of it.
>>
>> The way I see it, it is outside the scope of SIP; it's a signaling
>> protocol. If 'security' is really something you want to establish, many
>> existing tools are available to handle this (EG: VPN, firewalls,
>> encryption, etc).
>>
>> As previously mentioned, there is no easy, simple solution. Securing
>> ones services takes work (and time) to do it right.  Most people don't
>> want to spend the effort monitoring it.
>>
>> --
>> Paul Belanger
>> Digium, Inc. | Software Developer
>> twitter: pabelanger | IRC: pabelanger (Freenode)
>> Check us out at: http://digium.com & http://asterisk.org
>>
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>>
>> AstriCon 2010 - October 26-28 Washington, DC
>> Register Now: http://www.astricon.net/
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>> End of asterisk-users Digest, Vol 84, Issue 44
>> **********************************************
>>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list