[asterisk-users] Allowing calls - maybe I'm just stupid...

A J Stiles asterisk_list at earthshod.co.uk
Thu Jun 11 05:41:59 CDT 2015


On Thursday 11 Jun 2015, Luca Bertoncello wrote:
> Well, I decided to do that, since I have my Asterisk reachable from
> Internet just for my cellphone and I want to avoid that someone guess
> my password (random and long, but it's of course possible to guess
> with a brute force attack) and call using my Asterisk...

Really?  How weak are your passwords, for you to be worried about brute-force 
attacks?

If you configure fail2ban so as to block IP addresses after a set number of 
false attempts and then unblock after  (say)  15 minutes, you can drastically 
limit the rate at which such attempts can be made without running the risk of 
locking *yourself* out.


> Since I'll use rarely my Asterisk from Internet (maybe just if I'm in
> holiday), I find this limitation meaningful.

Well, Asterisk doesn't!

Did your mother ever tell you when you were younger and just beginning to 
expand your horizons, "Always tell a grown-up where you are going, before you 
go out" ?  Well, that is essentially the purpose of SIP peer registration -- 
so your mother Asterisk knows where to find you, if an emergency arises a phone 
call comes in.

You always need a username and password to make a call anyway.  Introducing a 
restriction, for you to have to be registered  (using the *same* username and 
password)  before you can even make a call, will *not* make that any more 
secure.  Because an attacker who is guessing passwords still needs some way to 
check them; and it's a fair bet that they will use the guessed passwords in 
registration attempts.  Which means that by the time they come to try to make 
a call using those credentials, they will already be registered anyway!


If you are going to need occasionally to make possibly expensive phone calls 
from random IP addresses, then you might consider using some form of out-of-
band authentication.  For instance, have a web page on your Asterisk server, 
protected by a *different* password, that must be visited to allow that IP 
address a window of 15 minutes to connect to port 5060.  (This in itself can 
be problematic, if you are not extremely careful -- you absolutely do *not* 
want to create a situation which can lead to arbitary remote command execution 
as root.  Anytime I have had to do root stuff from within a CGI script, I have 
written to a file, not the actual commands but enough information to construct 
them; meanwhile a root cron job run every minute reads the file, does a regexp 
match on the content, maybe performs the relevant commands and then wipes out 
the file.  The downside of this is a delay before anything happens; but you can 
use a bit of AJAX in the script output to check every ten seconds whether 
anything has happened yet.  No doubt others will have their own suggestions.)


It's good that you are thinking deeply about security, but beware not to get 
drawn down blind alleys.  For instance, if you have a door with a large, 
single-glazed pane of 6 mm. glass, then there is little point fitting it with 
an expensive, hard-to-pick lock.


-- 
AJS

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150611/5398200e/attachment.html>


More information about the asterisk-users mailing list