[asterisk-users] Better SIP security please! Was: (no subject)

[Olle E. Johansson]

19 mar 2010 kl. 03.41 skrev Philipp von Klitzing:

> Hey hey!
> 
>>> My first step will be to strengthen the passwords in use, and for the
>>> hardphones to restrict by IP address, but that still leaves the
>>> softphone quite widely open.
>> 
>> Asterisk doesn't differentiate between a hard phone and a soft phone.
> 
> Although: One could think about enhancing Asterisk security by allowing 
> only a (number of) specific SIP user agent header (vendor, model) for a 
> SIP account - next to a strong password, of course. Or implement 
> something more dynamic like: Read and lock the current (or first) user 
> agent string, and then ping the admin if that changes and request an un-
> lock/re-auth.
Those are interesting ideas. We could implement a timeout for registrations,
so that we only accept re-registrations while we have an active registration,
and if that expires only accept new registrations after a timeout.
This will delay access at reboots of the Asterisk server though.
> 
>>> Does Asterisk 1.6 have anything in it that can automatically block out
>>> an attacking IP, say if it receives several 20 or so failed attempts
>>> from that IP in x minutes?
> 
> It would still be important to have a sip.conf paramter in 1.4 that is 
> similar to "delayreject" in iax.conf! One of my system has been scanned 
> 3 times in the past days, and it takes just a little over a minute for a 
> 10.000 account registration scan.

The work I started during Christmas - Named ACL's - is a starting point
that other developers can use to develop all kind of schemes.

http://www.voip-forum.com/asterisk/2010-01/manageable-access-control-lists-asterisk-nacls/

/O