[asterisk-users] asterisk security....again

Rizwan Hisham rizwanhasham at gmail.com
Tue Mar 1 05:26:03 CST 2011


Thanks all. I appreciate your support a lot. Your suggestions helped make a
game plan finally. Otherwise i was just shooting in the dark before. Anyways
here is what I am going to do now.

install a better firewall, possibly the one mentioned by mr j stapleton and
tighten its security settings. use IP tables in conjunction with the
firewall. use something like
this<http://etel.wiki.oreilly.com/wiki/index.php/Asterisk_Brute_Force_Prevention>to
prevent bruteforce attacks. making changes in asterisk sip peer
setting
to make it as tight as I can security wise without affecting the service we
provide. Provisioning the remote end user ata to make it accept sip messages
coming from only the proxy (i'll se what else i can do with them). and keep
looking for an even better solution to this problem.

Thanks a lot again.

Cheers

On Mon, Feb 28, 2011 at 11:16 PM, satish patel <satish_lx at hotmail.com>wrote:

>  It could be possible they are not scanning your asterisk server. They are
> just scanning 5060 and in this case your ATA caught by scan directly that
> why you don't have any logs on server side. Don't you have any setting in
> ATA to specify allowed IP address ?
>
> -Satish
>
> ------------------------------
> From: jstapleton at computer-business.com
> To: asterisk-users at lists.digium.com
> Date: Mon, 28 Feb 2011 10:27:33 -0500
>
> Subject: Re: [asterisk-users] asterisk security....again
>
> http://sipera.com/ is one such product.
>
>
>
> *From:* asterisk-users-bounces at lists.digium.com [mailto:
> asterisk-users-bounces at lists.digium.com] *On Behalf Of *Rizwan Hisham
> *Sent:* Monday, February 28, 2011 9:33 AM
> *To:* Asterisk Users Mailing List - Non-Commercial Discussion
> *Subject:* Re: [asterisk-users] asterisk security....again
>
>
>
> Thanks Mr. Kevin.
>
> Can anyone please also tell me which firewall is best suited for
> asterisk/sip attack prevention. Is there any firewall built specially to
> address sip security problems?
>
> On Mon, Feb 28, 2011 at 6:38 PM, Kevin P. Fleming <kpfleming at digium.com>
> wrote:
>
> On 02/28/2011 07:27 AM, Rizwan Hisham wrote:
>
> Any suggestions on encrypting the sip and rtp. I have done some googling
> on it. looks like it is not supported by most end point devices or
> service providers. But still your thoughts will be appreciated on this
> subject.
>
>
>
> You cannot protect a remote SIP endpoint from attacks via your server; that
> SIP endpoint is an endpoint itself, and if it can receive IP packets from
> attackers, it will process them. These packets don't go through your server,
> and encrypting the legitimate traffic between your server and the remote
> endpoint isn't going to make any difference at all.
>
> The *only* way to address attacks like this is to modify the configuration
> of the remote endpoint to ignore all incoming packets that aren't from your
> server(s). Even that is not a perfect solution, though, because the attacker
> (if they are actually aware of your server and customers) can spoof the IP
> addresses of your server(s) in order to get the remote endpoints to at least
> accept an INVITE (they can't place a successful call through them using
> spoofing though).
>
> --
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> skype: kpfleming | jabber: kfleming at digium.com
> Check us out at www.digium.com & www.asterisk.org
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
>
> --
>
> Best Ragards
>
> Rizwan Qureshi
>
> VoIP/Asterisk Engineer
>
> Axvoice Inc.
>
> V: +92 (0) 3333 6767 26
>
> E: rizwanhasham at gmail.com
>
> W: www.axvoice.com
>
>
>
> -- _____________________________________________________________________ --
> Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
> Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE
> or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Best Ragards
Rizwan Qureshi
VoIP/Asterisk Engineer
Axvoice Inc.
V: +92 (0) 3333 6767 26
E: rizwanhasham at gmail.com
W: www.axvoice.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110301/a124229d/attachment.htm>


More information about the asterisk-users mailing list