[asterisk-users] Need a volunteer for a Patch
Lyle Giese
lyle at lcrcomputer.net
Wed Aug 3 19:16:20 CDT 2011
On 08/03/11 09:49, Venefax wrote:
>>
>> I tried te route of using iptables and at top production time, it eats
>> 5% of my server, brining it to 95+ CPU usage. Clearly, not an option.
>> I need a patch for chan_sip that when
> alwaysauthreject=yes
> does not respond to any REGISTER packet if the username does not exists.
> I hope that Digium would include this otr similar option in the source
> code. Alternatively, a new option can be created in sip.conf. I am
> offering no money for this patch. I think all the community needs this
> to survive the attack of the evil men from shadowlands.
>
> Another nice patch that I already wrote partially, is for
> cdr_addons_mysql, but it should be included in all cdr-collecting
> technologies. I just do not save to the database any call that is not
> connected. This is NOT the same as setting the option at the cdr.conf
> level. Each cdr technology needs this option as well. I need to save all
> calls to my cdr_odbc, for ASR calculations, but it is useless to store
> un-connected calls to mysql, because I use it only as a backup cdr, in
> case my external SQL Server blows up or has a problem, which happens often.
> What I did was to hard code this option in the source code, but not
> including any checkin for a cdr_sql.conf, since I am not a C programmer.
>
With your option turned on, evil ones will again be able to enumerate
valid usernames.
To keep them guessing, you give them the same answer if the user name
does not exist or if they gave you a bad password. But with your option
turned on, they will know if they have a valid user name or not.
Lyle Giese
LCR Computer Services, Inc.
More information about the asterisk-users
mailing list