[asterisk-users] Securing Asterisk

CDR venefax at gmail.com
Sat Jul 23 12:38:36 CDT 2011


I beg to differ. Digium is hiding from the real world and somebody is
going take the software and run with it. My customers lost in excess
of $50.000 and cut my pay in half, because of hackers. The hackers
figured out how to scan every asterisk for weak passwords or open
ports, and bang them real good. We need two things: a) disable in
sip.conf the reply for INVITES that have wrong user information, and
also, b) disable any response to any REGISTER packet altogether. Can
somebody please write  patch? Or should we go broke trying to stop the
flood of criminals coming from abroad?
Federico

On Sat, Jul 23, 2011 at 1:00 PM,
<asterisk-users-request at lists.digium.com> wrote:
> Send asterisk-users mailing list submissions to
>        asterisk-users at lists.digium.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.digium.com/mailman/listinfo/asterisk-users
> or, via email, send a message with subject or body 'help' to
>        asterisk-users-request at lists.digium.com
>
> You can reach the person managing the list at
>        asterisk-users-owner at lists.digium.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of asterisk-users digest..."
>
>
> Today's Topics:
>
>   1. Re: use dahdi for local terminal modem access? (Lyle Giese)
>   2. dialplan pattern help (Armand Fumal)
>   3. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603
>      Declined" (Patrick Lists)
>   4. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603
>      Declined" (Paul Belanger)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 23 Jul 2011 09:29:26 -0500
> From: Lyle Giese <lyle at lcrcomputer.net>
> Subject: Re: [asterisk-users] use dahdi for local terminal modem
>        access?
> To: asterisk-users at lists.digium.com
> Message-ID: <4E2ADAC6.4010101 at lcrcomputer.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> On 07/22/11 22:47, William Stillwell wrote:
>> Um, no VOIP involved here.
>
> Wrong.  What do you think Asterisk is?  Chopped meat?  It's a VoIP
> switch.  All traffic inside Asterisk is VoIP.
>
>>
>> I have an asterisk server with 2 23B+D PRI's
>>
>> I want to telnet/ssh into the asterisk server, and make an outbound call
>> serial based modem/terminal connection (Like the 80/90's BBS Days).
>>
>> No TCP/IP or PPP or crazyness
>>
>> (ie, dialing into a Modem set to AA hooked to a Cisco Console Port)
>>
>>
>>
>>> -----Original Message-----
>>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
>>> bounces at lists.digium.com] On Behalf Of Lyle Giese
>>> Sent: Friday, July 22, 2011 8:07 PM
>>> To: asterisk-users at lists.digium.com
>>> Subject: Re: [asterisk-users] use dahdi for local terminal modem
>>> access?
>>>
>>> On 07/22/11 18:13, William Stillwell wrote:
>>>> I have some terminals that have phone lines.
>>>>
>>>> One of my tech had an idea of using IAXmodem or something similar to
>>> use
>>>> existing PRI/DAHDI Trucks for dial out via the asterisk/Linux
>>> console.
>>>>
>>>> Anybody ever heard of doing this?
>>>>
>>>> I would think maybe would use iaxmodem maybe and a shell terminal
>>> app?
>>>>
>>>> (basically I'm dialing into a remote access device that uses a pots
>>> like
>>>> for remote administration, and don't want to string a channel bank
>>> off
>>>> my asterisk box, and a hook to a modem)
>>>>
>>>>
>>>>
>>>> --
>>>
>>> Depends on your expectation.  Because of compression in the codecs, it
>>> will be hard to get fast dialup.  If you mean ssh or telnet, it might
>>> work.  If you mean vnc or RDP over this, you may not get enough usable
>>> bandwidth to do that.
>>>
>>> Given this, I have in an emergency dialed into a RAS server via a VoIP
>>> line. My laptop connected at 14,400bps.  All I needed to do was telnet
>>> into an APC masterswitch to toggle power on one outlet.  It worked.
>>>
>>> I was surprised at getting a 14,400bps connect.  I was not expecting
>>> that high and really did not need that high.  300 baud probably would
>>> have been fast enough to telnet into an APC masterswitch.
>>>
>>> Lyle Giese
>>> LCR Computer Services, Inc.
>>>
>>> --
>>> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>>                 http://www.asterisk.org/hello
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>                 http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 23 Jul 2011 14:30:42 +0000
> From: Armand Fumal <af at cybernet.lu>
> Subject: [asterisk-users] dialplan pattern help
> To: "asterisk-users at lists.digium.com"
>        <asterisk-users at lists.digium.com>
> Message-ID:
>        <2584E1ABC3629C4D85A61B8DC4D27297096F1432 at EXCHANGELU.lu.cybernet.local>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Hi all,
>
> I need help for make a pattern for a special case that i can't find the solution.
>
> In my case I want to match these in one pattern:
>
> This is the same ext that can come in 4 cases
>
> exten => _42704701,1,Macro(dialfax,${EXTEN:-8})         ; case with 42704701
> exten => _X42704701,1,Macro(dialfax,${EXTEN:-8})                ; case with 042704701
> exten => _XXXX42704701,1,Macro(dialfax,${EXTEN:-8})     ; case with +3242704701
> exten => _XXX42704701,1,Macro(dialfax,${EXTEN:-8})              ; case with 3242704701
>
> I have try _.42704701 but the parser stop to check after the point "."    :-(
>
> So did you have any suggestion ?
>
> Regards
>
> Armand Fumal
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 23 Jul 2011 17:48:44 +0200
> From: Patrick Lists <asterisk-list at puzzled.xs4all.nl>
> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid
>        sending, "SIP/2.0 603 Declined"
> To: Asterisk Users Mailing List - Non-Commercial Discussion
>        <asterisk-users at lists.digium.com>
> Message-ID: <4E2AED5C.9080901 at puzzled.xs4all.nl>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 07/23/2011 04:00 PM, Paul Belanger wrote:
>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488
>> (Not Acceptable Here) response. Such a response SHOULD include a
>> Warning header field value explaining why the offer was rejected.
>
> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC
> created by people who had no appreciation for the rather ugly world out
> there then why not throw the RFC out of the window and *not* reject an
> invite with a 488? It sounds like an interesting option to add to
> "10"/trunk. Better secure than compliant & sorry. Why not do a little
> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their
> interpretation of SIP.
>
> Regards,
> Patrick
>
>
>
> ------------------------------
>
> Message: 4
> Date: Sat, 23 Jul 2011 12:07:49 -0400
> From: Paul Belanger <pabelanger at digium.com>
> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid
>        sending, "SIP/2.0 603 Declined"
> To: asterisk-users at lists.digium.com
> Message-ID: <4E2AF1D5.80305 at digium.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 11-07-23 11:48 AM, Patrick Lists wrote:
>> On 07/23/2011 04:00 PM, Paul Belanger wrote:
>>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488
>>> (Not Acceptable Here) response. Such a response SHOULD include a
>>> Warning header field value explaining why the offer was rejected.
>>
>> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC
>> created by people who had no appreciation for the rather ugly world out
>> there then why not throw the RFC out of the window and *not* reject an
>> invite with a 488? It sounds like an interesting option to add to
>> "10"/trunk. Better secure than compliant & sorry. Why not do a little
>> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their
>> interpretation of SIP.
>>
> Personally, I don't see this as a solutions.  SIP already provides some
> ability to help with security (EG: TLS, SRTP) however that is basically
> the extent of it.
>
> The way I see it, it is outside the scope of SIP; it's a signaling
> protocol. If 'security' is really something you want to establish, many
> existing tools are available to handle this (EG: VPN, firewalls,
> encryption, etc).
>
> As previously mentioned, there is no easy, simple solution. Securing
> ones services takes work (and time) to do it right.  Most people don't
> want to spend the effort monitoring it.
>
> --
> Paul Belanger
> Digium, Inc. | Software Developer
> twitter: pabelanger | IRC: pabelanger (Freenode)
> Check us out at: http://digium.com & http://asterisk.org
>
>
>
> ------------------------------
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> AstriCon 2010 - October 26-28 Washington, DC
> Register Now: http://www.astricon.net/
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
> End of asterisk-users Digest, Vol 84, Issue 44
> **********************************************
>



More information about the asterisk-users mailing list