[asterisk-users] How to stop intruder from registering sip?
Ryan Wagoner
rswagoner at gmail.com
Sun Jun 13 16:23:21 CDT 2010
On Sun, Jun 13, 2010 at 4:06 PM, sean darcy <seandarcy2 at gmail.com> wrote:
> On 06/13/2010 01:59 PM, Dave Platt wrote:
>>> If you leave your asterisk box open to the world with passwords like 0000
>>> you deserve to be hacked..
>>
>> Well, without making a moral judgment, I will agree that you are *going*
>> to be hacked if you do this!
>>
>> The O.P. seems to have made two (fairly common) mistakes:
>>
>> - Used a "secret" so obvious that it could be guessed... and
>> even if not, so short that it could have been determined by
>> a very simple brute-force attack.
>>
>> - Used the user's extension number as the SIP user ID... and
>> thus making it easy to figure out which user IDs on which a
>> password attack could be carried out.
>>
>> Doing a brute-force SIP-registration attack against all
>> possible 3- and 4-digit extensions, using a handful of
>> obvious "secret" strings (0000 through 9999, 1234, 4321,
>> same number as the extension) wouldn't take an attacker
>> very long at all. Nor would trying to call all of these
>> numbers once to figure out which extensions exist, then doing
>> a brute-force password attack against those which exist. I
>> have no doubt that there are numerous crackers out on the
>> net doing just these sorts of attacks on a regular basis.
>>
>> The cure for these problems is, obviously, "don't do that":
>>
>> (1) SIP user IDs should not be based on the extension number,
>> and preferably should not be based on the owner's name
>> or user login. Make 'em hard to guess or brute-force!
>>
>> (2) Make the secrets equally hard to guess or brute-force.
>> No short strings of numbers, no dictionary words or
>> simple leet-speak transforms of them, etc.
>>
>> One of your best tools is a program or script to generate
>> random sequences of letters and digits and other legal-
>> in-SIP-names characters. Try something like
>>
>> dd if=/dev/urandom bs=512 count=1 | base64
>>
>> and then copy some 10- or 12-character substrings out of this
>> mass of gibberish and use 'em for SIP secrets. With this many
>> bits of randomness in the secrets, they'll be effectively
>> invulnerable to guessing or brute force attacks.
>>
>>> Are your travelling people using softphones? If they are VPN would be a good
>>> idea..
>>
>> A very good idea, and not just for security reasons. Running SIP over
>> a VPN tunnel can be a very effective remedy for all sorts
>> of firewall- and NAT-related problems.
>>
>> I've found that running OpenVPN between my various SIP clients,
>> and my Asterisk server, produces far better results than depending
>> on STUN or on SIP-aware routers and firewalls.
>>
>
> Thanks for not suggesting I ponder my sins!
>
> As I mentioned, I'm not inclined to mess with the secrets, too much
> hassle for users. That's why I'm considering deny/permit.
>
> Does that solve my problem?
>
> But I'm struck with your notion of having sip user ids different from
> extensions. That would not require any user effort, or messing with each
> phone. But...
>
> We use a combo of aastra 9133i and 57i's. Don't the user id and the
> extension HAVE to be the same? I had thought the aastra's used the
> extension as the SIP id to register.
>
> sean
>
The deny/permit will work only for phones within your internal
network. It will not allow any remote phones to connect so how do you
plan on getting your remote users up and running?
How are secrets too much hassle? You set the password once and forget
it. With the Aastra phones you could setup phone provisioning files to
automate the process.
Ryan
More information about the asterisk-users
mailing list