[asterisk-users] Securing Asterisk

[A J Stiles]

On Wednesday 27 Jul 2011, CDR wrote:
> This is turning into a political issue such as the one in Washington
> and the impending default on US debt.

No, you are getting your knickers in a twist and blaming other people for your 
own shortcomings.

> The point is that a minor change 
> in the code would have a dramatic effect on security, and carry a
> lower impact on CPU that using Iptables.

And it would break standards.  Now, sometimes you have a good reason not to 
play by the rules  (like when you might be advertising an open service to any 
passing Tom, Dyke or Harriet).  Other times, you want everything to play by 
the rules  (like when you are trying to diagnose problems with different 
vendors' implementations of a supposedly-standardised protocol on a private 
subnet which you know accepts no inbound connections from the public 
Internet).  Guess what?  Digium can't decide, in advance and from a distance, 
which of two diametrically-opposed behaviours you are going to want.  Only 
you can decide that.

> The simplicity of the change 
> cannot understated. The hackers do not continue sending packets with
> new REGISTER attempts unless they see a response. The would move on.

And they're only seeing a response because they haven't bounced off your 
firewall.

> Digium is being monarchical about this.

As they have a right to be; it's their project.

> It looks like a loss of 
> contact with reality.

Yes.  On your part.

> The vast ecosystem of Digium is made of hundreds 
> of people like me. I am being forced now to place Opensips in front of
> Asterisk, in port 5060, set Asterisk to listen at Port 5061, and block
> access to 5061 from outside. Instead of a minor change, I have to
> bring a second application to the picture.

One tool does one job.  That's the UNIX way, it always has been and long may 
it continue to be.  You've only got to peer over the wall into the Windows 
camp to see the unintended consequences of feature creep and multiple 
re-inventions of the wheel.  Asterisk's job is to keep track of packets going 
from telephone devices to other telephone devices.  Keeping unwanted packets 
off the wires does not fall within its remit.  There are other tools for 
that.  And it actually looks as though you have found one.

Asterisk is a telephony construction kit.  Note those last two words.  Digium 
can't be held responsible for what anybody builds with it.  Whose fault do 
you think it would be, if you built a car out of Meccano, didn't fit seat 
belts, crashed it and injured yourself?

> The reason why I find useless using iptables and a rule that bans an
> IP address if it communicates more than a threshold of times, is
> simple. I have customers that hit me 10+ times per seconds from the
> same IP. It would look like a hacker, and it is not.

Then you need to whitelist their IP addresses, so fail2ban will not block 
them.  Or, use a rule that only counts failed attempts.

> I use a cluster 
> of Asterisk in the same box, a big server, and each asterisks listens
> in its own network interface, and responds from it. It does work. But
> iptables or fail2ban would not work in a wholesale scenario.

Nothing says "I'm an asshole" like waving your dick in people's faces.  
Especially not when they've seen bigger ones.

-- 
AJS

Answers come *after* questions.