[asterisk-users] Better SIP security please! Was: (no subject)

Philipp von Klitzing klitzing at pool.informatik.rwth-aachen.de
Thu Mar 18 21:41:11 CDT 2010


Hey hey!

> > My first step will be to strengthen the passwords in use, and for the
> > hardphones to restrict by IP address, but that still leaves the
> > softphone quite widely open.
> 
> Asterisk doesn't differentiate between a hard phone and a soft phone.

Although: One could think about enhancing Asterisk security by allowing 
only a (number of) specific SIP user agent header (vendor, model) for a 
SIP account - next to a strong password, of course. Or implement 
something more dynamic like: Read and lock the current (or first) user 
agent string, and then ping the admin if that changes and request an un-
lock/re-auth.

> > Does Asterisk 1.6 have anything in it that can automatically block out
> > an attacking IP, say if it receives several 20 or so failed attempts
> > from that IP in x minutes?

It would still be important to have a sip.conf paramter in 1.4 that is 
similar to "delayreject" in iax.conf! One of my system has been scanned 
3 times in the past days, and it takes just a little over a minute for a 
10.000 account registration scan.

Philipp




More information about the asterisk-users mailing list