[asterisk-users] Securing Asterisk

Bruce B bruceb444 at gmail.com
Thu Jul 28 10:31:48 CDT 2011 

Hmmm, if alwaysauthreject is already breaking RFC rules then why not break
another rule for the greater good? It would only add another layer of
security.

Maybe: *alwaysregreject=yes*
*
*
*To drop SIP packets for both unauthorized registers and anonymous calls.
Keep it off by default and then allow users to turn it on if they want to.

To be fair to OP, using Asterisk with open ports to the world is a legit use
of Asterisk even if most of us don't employ it that way or use it solely
with closed networks (VPN, etc...). There are many people who would benefit
from a security feature that would simply ignore unauthorized registers and
anonymous calls.

OP is suggesting an improvement to Asterisk; maybe people should weigh
options and see if it's time to act more on the security side or not. There
is no question that if a hacker knows there is a SIP server then they will
keep the IP on the list for later use or share it with colleagues even if it
seems secure right now. A DDoS is always a possibility and that you can't
save yourself from at all.

Right now the situation is more like this:

*Knock Knock:*
*Owner: *Whose there?
*Thief:* This is Mr. X from China, and I am here to steal your TV.
*Owner: *Hi, I am James Smith, 45, 190lbs and I have a nice laptop as well
but I am home now and I can't let you in.
*Thief (laughing):* No problem, I will come back at midnight when you are
sleeping :-)

- Bruce



On Wed, Jul 27, 2011 at 2:20 PM, Matthew J. Roth <mroth at imminc.com> wrote:

> Kevin P. Fleming wrote:
> >
> > 'alwaysauthreject' in not imcompliant with any RFCs; the RFCs define
> > response codes that *can* be used to indicate (for example) that the
> > Request URI does not represent a target known to the receiver (404 Not
> > Found), but does not mandate that the server respond with that code in
> > that situation.
>
>
> Kevin,
>
> Thanks for the correction and I apologize if I'm propagating a
> misconception.  Am I misunderstanding this Asterisk Security Advisory?
>
> http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html
>
>   In 2006, the Asterisk maintainers made it more difficult
>   to scan for valid SIP usernames by implementing an
>   option called "alwaysauthreject"...
>
>   ...What we have done is to carefully emulate exactly the
>   same responses throughout possible dialogs, which should
>   prevent attackers from gleaning this information. All
>   invalid users, if this option is turned on, will receive
>   the same response throughout the dialog, as if a
>   username was valid, but the password was incorrect.
>
>   It is important to note several things. First, this
>   vulnerability is derived directly from the SIP
>   specification, and it is a technical violation of RFC
>   3261 (and subsequent RFCs, as of this date), for us to
>   return these responses...
>
> I am asking out of genuine curiosity, because I trust your assessment
> more than my interpretation of the advisory.
>
> Thank you,
>
> Matthew Roth
> InterMedia Marketing Solutions
> Software Engineer and Systems Developer
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110728/6da6cb1b/attachment.htm>

More information about the asterisk-users mailing list