[asterisk-users] Asterisk Security: Allow only one phone per sip registration

Hans Witvliet asterisk at a-domani.nl
Fri Oct 14 02:56:07 CDT 2011


On Fri, 2011-10-14 at 10:02 +0300, Muro, Sam wrote:
> Hi there
> 
> Consider this. You have three SIP extension 200, 201 and 202 and you have
> configured your phones, say Polycom 331 to those accounts. 200 being one
> very sensitive individual.
> 
> Lets say, an insider, get a new phone or perhaps an xlite and configure it
> with the same extension, 200. Asterisk will register it as 200 to the new
> IP address.  Now extension 202 call 200. The hacker answers it and pretend
> is the same person. Do what he want to do and thats it.
> 
> Question;
> How can i stop this type of threat
> 
> Regads
> Peter
> 
Perhaps use secrets?
afaicr the secrets you have to provide for hardphone and softphone are
readonly.
If you avoid something like "secret" or "welcome" or the involved
hostname, but instead use a 15 char long generated pwd, he'll have a
long time trying all the possibilities.... And different pwds for each
phone.

hw



More information about the asterisk-users mailing list