[asterisk-users] Securing Asterisk
Alex Balashov
abalashov at evaristesys.com
Tue Jul 26 13:14:13 CDT 2011
On 07/26/2011 02:09 PM, CDR wrote:
> Only way to cope with hackers would be that Digium comes to its
> senses and accepts to disable any response to a REGISTER whose
> username is unknown. I cannot think of a good reason why Digium
> finds this proposal unacceptable, given the onslaught of hacking
> that we are seeing in the industry. It may take a single line of
> code and it would save millions of $$$. Not only because the
> hackers will never get in, but because we would save a huge CPU
> impact responding to hundreds of REGISTER attempts per minute. It
> is a NO brainer. Can please the Powers that Be reconsider and add
> this option to sip.conf? Please?
No, because that's absolutely ridiculous. The proper, RFC-compliant
behaviour is to return an authentication failure in response to
invalid credentials. This mechanism is relied upon for legitimate
functionality, such as letting the UAs of intended users know that
they are sending incorrect credentials.
As was pointed out before, Asterisk is a mostly application-level
construct. Applications usually have some rudimentary means of
self-defense such as ACLs, but applications are often conceptually
distinct from the most appropriate means of securing them. That's
what firewalls, SBCs, intrusion detection systems, etc. are for.
Your position is equivalent to saying that stock SSH should not return
authentication errors for invalid passwords. The proper solution to
dictionary attacks is to firewall the SSH service, use RSA keys, VPNs,
etc., not to tell the maintainers of the OpenSSH project to come to
its senses.
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-users
mailing list