[asterisk-users] Asterisk Security

Christian Stredicke Christian.Stredicke at snom.de
Sun Apr 12 04:09:25 CDT 2009


Check out http://ucsniff.sf.net. You can run it on the PC of your choice in the network (e.g. your PC) and then record the conversations.

Recording calls in the LAN is a lot more interesting than recording random calls that run over the Internet. Examples:

* Your boss intends to fire you and wants to talk it through with HR.

* Your customer is calling your boss and complains about you.

* Your colleague wants to get your job and develops a strategy to make you look stupid.

* Two colleagues have an office love affair and nobody should know about it.

This list can be extended.

I believe this makes clear that security should not be an afterthought in your next VoIP installation.

CS

-----Ursprüngliche Nachricht-----
Von: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] Im Auftrag von SIP
Gesendet: Montag, 6. April 2009 14:31
An: Asterisk Users Mailing List - Non-Commercial Discussion
Betreff: Re: [asterisk-users] Asterisk Security

If that someone is between you and the other endpoint (like between you
and the switch, or using port-mirroring on a router somewhere), then
yes. The conversations can be recorded. In the US, the ability to be
able to do this is required by law. You've little to worry about random
hackers coming in off the Internet for this sort of thing. It's usually
something to do with having physical access to the network in which you
or the other end is connected.

There's ARP poisoning and the like which could make this possible in a
local network environment on either side, but for the most part, you'll
know who's on your local net, and they likely have physical access to
your phones as well. A listening device would be easier to plant in the
mic pickup of your phone if they REALLY wanted to listen in on your calls.

There are all sorts of levels one can to to find out what you're doing,
and preventing against them can involve a great deal of creativity.

That said, the answer is yes. You could use a VPN tunnel from one end to
the other, and many people do just that to help ensure the privacy of
their connections (both data and voice).

N.

Tom wrote:
> Since we are talking about security, if I am using * to talk to a cisco
> gateway via SIP, is there some sort of encryption you can use?  Like a 
> vpn tunnel?  
>
> Can someone capture packets and re-assemble to make out a conversation?
>
>
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Martin
> Sent: Saturday, April 04, 2009 7:20 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Asterisk Security
>
> Lets not be that paranoid. If you have these ports open to the internet then
> from time to time someone will check if your default unsecured context
> can dial out to PSTN...
>
> with sip.conf you can add
>
> allowguest=no
>
> With IAX2 there's no allowguest but I believe you have to have a guest
> username in iax.conf with no password to access
> the unsecured context.
>
> Martin
>
> On Sat, Apr 4, 2009 at 3:42 PM, Todd Reese <treese65 at gmail.com> wrote:
>   
>> Hi All,
>>
>> Coming in to day, the logs on the asterisk server showed several entries
>> such as:
>>
>> [Apr  4 15:25:16] NOTICE[9280]: chan_sip.c:14627 handle_request_invite:
>> Call from '' to extension '9810380487965419' rejected because extension
>> not found.
>>
>> This has gotten me to thinking about security of this box.
>>
>> 1. Currently the box sits behind a firewall with iax and sip ports
>> pointing to it for the ip phones that are offsite.  There isn't any
>> other access through the firewall to this box.
>> 2. All devices have an extension assigned to them in sip.conf and
>> extensions.conf.  i.e. supra ATA, Grandstream GXP-2000
>> 3. The box is fed via Les.net and Voicepluse.  All other feeds are
>> shutoff when not active.
>>
>> I'm looking for ideas to tighten up on the security so that this won't
>> happen again.
>>
>> TIA,
>>
>> Todd Reese
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>     
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.238 / Virus Database: 270.11.41/2040 - Release Date: 04/04/09
> 16:53:00
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>   


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users





More information about the asterisk-users mailing list