[asterisk-users] one for your filters
Dave Platt
dplatt at radagast.org
Wed Jun 23 16:54:45 CDT 2010
> I'm still trying to figure that out. Our SIP usernames are seven digit
> phone numbers, so not really difficult to guess, but the passwords are 7
> char alpha-numeric strings, auto generated. We don't at present restrict
> people to their addresses, as some are dynamic.
If they're randomly generated (which might not be the same as
"auto generated") then that *ought* to be a big enough
namespace to provide reasonable resistance to cracking...
78 billion combinations at least (assuming upper-case alpha
and numeric characters).
Do your logs show a lot of failed registrations? A brute-
force password-guessing attack ought to show up in this way
(and is thus good fodder for a Fail2Ban auto-jailing).
You should check your Asterisk configuration to make
triple-sure that:
(1) Inbound "guest" calls go only to a restrictive context
which will allow calling of only your own specific
extensions, and
(2) You don't have DISA enabled on any extension... a
short DISA passcode and a guessable DISA extension
number could be an expensive vulnerability.
More information about the asterisk-users
mailing list