[asterisk-users] Securing Asterisk

[john millican]

On 7/28/2011 11:31 AM, Bruce B wrote:
> Hmmm, if alwaysauthreject is already breaking RFC rules then why not
> break another rule for the greater good? It would only add another layer
> of security.
>
> Maybe: *alwaysregreject=yes*
> *
> *
> *To drop SIP packets for both unauthorized registers and anonymous
> calls. Keep it off by default and then allow users to turn it on if they
> want to.
>
> To be fair to OP, using Asterisk with open ports to the world is a legit
> use of Asterisk even if most of us don't employ it that way or use it
> solely with closed networks (VPN, etc...). There are many people who
> would benefit from a security feature that would simply ignore
> unauthorized registers and anonymous calls.
>
> OP is suggesting an improvement to Asterisk; maybe people should weigh
> options and see if it's time to act more on the security side or not.
> There is no question that if a hacker knows there is a SIP server then
> they will keep the IP on the list for later use or share it
> with colleagues even if it seems secure right now. A DDoS is always a
> possibility and that you can't save yourself from at all.
>
> Right now the situation is more like this:
>
> *Knock Knock:*
> *Owner: *Whose there?
> *Thief:* This is Mr. X from China, and I am here to steal your TV.
> *Owner: *Hi, I am James Smith, 45, 190lbs and I have a nice laptop as
> well but I am home now and I can't let you in.
> *Thief (laughing):* No problem, I will come back at midnight when you
> are sleeping :-)
>
> - Bruce
>
>

What I didn't tell you Mr thief is I sleep very lightly, Have a shotgun, 
a shovel and 20 acres of back yard and I know how to use all three!

Why is there such an aversion to using the right tool for the job? 
Asterisk is not the security tool it is the voice tool!

JohnM