[asterisk-users] SIP authentication - Thoughts please

Steve Davies davies147 at gmail.com
Thu Oct 7 10:45:04 CDT 2010


On 7 October 2010 10:10, Stefan Schmidt <sst at sil.at> wrote:
> Am 07.10.10 10:52, schrieb Steve Davies:
>> Hi,
>>
> <snipped>
>
> Hello,
>
> i just want to say something about point 4 which comes to my mind about
> security.
>
>>
>> 4) I am not sure whether it is worth dropping through and testing auth
>> against other peers if there is no username match. Can auth ever
>> succeed under those circumstances (password matches, but not
>> username?)
>
> If you use UDP its very easy to fake the source ip of a call so do you
> really want to open a door to an attacker by authenticate only by ip and
> passwort which can match to any peer with the same ip adress? To
> bruteforce this would be much easier than to bruteforce against sending
> IP, right username and right password.

I was not clear. By option 4) I intended that you test the password
against other peers with a matching IP address. I am not sure whether
the username is included in the SIP password hash, so do not know
whether there is even any point in doing so. As far as I can tell, in
the EXISTING sip stack, digest username is not used to determine which
peer to authenticate with, it just uses the first peer with a matching
IP.

> Have you tried to use different ports to register? i think this could help.

AFAIK, Asterisk will only operate on one port, and the remote end is a
major ITSP who will not be wanting to listen to me making odd requests
:)

Thanks for the feedback!

Regards,
Steve



More information about the asterisk-users mailing list