[asterisk-users] Asterisk Security: Allow only one phone per sip registration
Muro, Sam
research at businesstz.com
Fri Oct 14 02:49:22 CDT 2011
Terry Wilson wrote:
> ----- Original Message -----
>> From: "Sam Muro" <research at businesstz.com>
>> To: asterisk-users at lists.digium.com
>> Sent: Friday, October 14, 2011 2:02:01 AM
>> Subject: [asterisk-users] Asterisk Security: Allow only one phone per
>> sip registration
>> Hi there
>>
>> Consider this. You have three SIP extension 200, 201 and 202 and you
>> have
>> configured your phones, say Polycom 331 to those accounts. 200 being
>> one
>> very sensitive individual.
>>
>> Lets say, an insider, get a new phone or perhaps an xlite and
>> configure it
>> with the same extension, 200. Asterisk will register it as 200 to the
>> new
>> IP address. Now extension 202 call 200. The hacker answers it and
>> pretend
>> is the same person. Do what he want to do and thats it.
>>
>> Question;
>> How can i stop this type of threat
>
> I would recommend actually setting a different secret field in sip.conf
> for each device so that your would-be attacker isn't able to register as
> someone else.
Is there a way one can bind sip account to specific mac-address (assume on
the same subnet). In this way, even if you know the username/secret, you
will still have to use the same physical phone, unless you play with
mac-address.
> Or you could buy a gun. I bet the insider would be very
> afraid of the gun and would therefore avoid any shenanigans while you were
> around. This would especially be true if you randomly shot items like
> coffee cups and plants whenever you thought they were looking at you
> funny. That'll show 'em.
Lol! Here they will name you a "terrorist"
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
> http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list