[asterisk-users] Fwd: Re: Securing Asterisk

Paul Hayes paul at provu.co.uk
Wed Jul 27 11:33:49 CDT 2011 

-------- Original Message --------
Subject: Re: [asterisk-users] Securing Asterisk
Date: Wed, 27 Jul 2011 09:28:54 -0700
From: Myles Wakeham <myles at techsol.org>
To: paul at provu.co.uk

On 07/27/2011 09:23 AM, asterisk-users-request at lists.digium.com wrote:
> On 23/07/11 18:38, CDR wrote:
>> >  I beg to differ. Digium is hiding from the real world and somebody is
>> >  going take the software and run with it. My customers lost in excess
>> >  of $50.000 and cut my pay in half, because of hackers. The hackers
>> >  figured out how to scan every asterisk for weak passwords or open
>> >  ports, and bang them real good. We need two things: a) disable in
>> >  sip.conf the reply for INVITES that have wrong user information, and
>> >  also, b) disable any response to any REGISTER packet altogether. Can
>> >  somebody please write  patch? Or should we go broke trying to stop the
>> >  flood of criminals coming from abroad?
>> >  Federico
>> >
> Not looking for an argument here but you are asking for a solution to a
> problem that doesn't exist.  If you'd done your job properly in the
> first place you'd have put some basic intrusion detection on such as
> fail2ban, OSSEC or just a basic bash script of your own writing.  The
> solution is already there and it's not trying to bodge Asterisk into a
> firewall application.  If you'd done that (and instructions on how to
> are literally all over the Internet and this mailing list) then your
> customer wouldn't be $50,000 down, you'd still have your full pay and
> you'd not be asking for people to break Asterisk's SIP implementation
> (even more :P ) in order to stop you having to do things the right way.
>
> Sorry if the truth hurts...

+1 to Paul on this.

Security is Job #1 for any IT professional.  If you don't implement IDS,
Firewalls, Fail2Ban, etc. you only have yourself to blame.  Whether the
target is Asterisk, or some old version of Apache, MySQL, or some
vulnerability in Linux Kernel, etc. the hackers want a way in.  Its YOUR
JOB to secure your server.

Even if Asterisk built some heavy security into their software, it would
probably get in the way of us folk that have legitimate need for other
functionality.  Security is one of those things that most programmers
think of as either an after-thought, or some constraint/expense that
they don't want to deal with.  The problem is that it should be the
FIRST thing IT folk think of before putting the technology online.

Anyway enough ranting...  Well said Paul.

Myles
-- 
-----------------------------
Myles Wakeham
Director of Engineering
Tech Solutions USA LLC
www.techsolusa.com
Phone +1-480-451-7440

More information about the asterisk-users mailing list