[asterisk-users] Securing Asterisk - How to avoid sending, "SIP/2.0 603 Declined"

Fri Jul 22 22:48:51 CDT 2011

Thanks again for the depth of knowledge you are offering.

So, I am taking a pass on the firewall since it won't do what I need but I
understand that it can do country block etc...thought not a full proof
still.

I am really not worried about DoS or more importantly DDoS as I have no hope
those can be prevented anyhow....been hit by one on a pfSense router and it
was just absorb as much as you can.

I like the different port idea though with the current scattered ATAs and
SIP phones it's unpractical for me to ask them all to change to a random
port.

Quote,* "How do the users register to begin with, if their REGISTER requests
won't be processed unless their IP is already known to be a registrant?
 :-)"*

Well, unfortunately I don't have the luxury of knowing their IP and the
closest I know is their IP range.

But I guess this is what is as I have seen big providers also return back
DECLINED from their gateways if one is not on their authorized list.

So, my final questions:

1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give
me the full capability to the SIP stack to do the sort of thing I was asking
for? And this can run on the same server as Asterisk is running?

Thanks a bunch

On Fri, Jul 22, 2011 at 10:18 PM, Alex Balashov
<abalashov at evaristesys.com>wrote:

> On 07/22/2011 10:11 PM, Bruce B wrote:
>
>  Vast number of scattered users all over the globe. I hate to think
>> there is no way to not announce ourselves as a SIP server to
>> un-trusted users.
>>
>
> Not easily.  This is a problem all service providers have to deal with, and
> so do you.  You have to have your SIP services open to the world, but they
> don't necessarily need to be easy to DoS or dictionary scan.
>
> Intra-industrially, the solution is usually some form of SBC or other
> administrative border/edge security element.  In the open-source world, a
> lot of the steeling, rate-limiting, etc. can be done with
> OpenSER/Kamailio/OpenSIPS.
>
> (Shameless plug: That's what we do all day commercially.)
>
> A common strategy is to use a non-standard SIP port ('bindport' in
> sip.conf).  No, it doesn't stop all scans, but in our experience, it will
> stop a good 95%+ of them.  When almost everyone does use the standard SIP
> port, and thus there are so many low-hanging targets, it's not worth
> bothering with a full ~65k UDP port scan.  Certainly, the average SIPvicious
> scanner won't bother with anything but 5060.
>
>
>  Or is there something else that can be done with the firewall to all
>>  "dynamic" trust IPs and drop packets from unregistered sources?
>>
>
> That raises an interesting question:
>
> How do the users register to begin with, if their REGISTER requests won't
> be processed unless their IP is already known to be a registrant?  :-)
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
> --
> ______________________________**______________________________**_________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/**mailman/listinfo/asterisk-**users<http://lists.digium.com/mailman/listinfo/asterisk-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110722/1221bf77/attachment.htm>