[asterisk-users] Securing Asterisk

Bruce B bruceb444 at gmail.com
Tue Jul 26 13:33:12 CDT 2011


I would have to err on the side of CDR to say that the only difference in
analogy you provided (SSH vs Asterisk) is that people lose much more
$$$$$$$$ in VoIP than they ever did in SSH hacking. So, if this is an
exceptional case bending a rule or two of RFC in favor of security won't
harm specially if it's provided as an option. After-all, RFC does stand for
Referral For Comment as in always open to be improved. Secondly, there is no
trade off with the responses as local and private IP networks are well know
from the public range so the option for such a security measure can be tuned
to be smart to that end.

The only thing I like about MS OSs is that it's secure out of box and that
is really what a Linux OS should be as well but it's not and so it's not
solely Digium's issue and I see your point giving the analogy.

I think it's a good idea if such a security "option" is provided by default
in Asterisk knowing it can save a lot of headache. If budget is an issue
maybe make it a bounty and watch support pouring in...........

- Bruce

On Tue, Jul 26, 2011 at 2:14 PM, Alex Balashov <abalashov at evaristesys.com>wrote:

> On 07/26/2011 02:09 PM, CDR wrote:
>
>  Only way to cope with hackers would be that Digium comes to its
>> senses and accepts to disable any response to a REGISTER whose
>> username is unknown.  I cannot think of a good reason why Digium
>> finds this proposal unacceptable, given the onslaught of hacking
>> that we are seeing in the industry. It may take a single line of
>> code and it would save millions of $$$. Not only because the
>> hackers will never get in, but because we would save a huge CPU
>> impact responding to hundreds of REGISTER attempts per minute. It
>> is a NO brainer. Can please the Powers that Be reconsider and add
>> this option to sip.conf? Please?
>>
>
> No, because that's absolutely ridiculous.  The proper, RFC-compliant
> behaviour is to return an authentication failure in response to invalid
> credentials.  This mechanism is relied upon for legitimate functionality,
> such as letting the UAs of intended users know that they are sending
> incorrect credentials.
>
> As was pointed out before, Asterisk is a mostly application-level
> construct.  Applications usually have some rudimentary means of self-defense
> such as ACLs, but applications are often conceptually distinct from the most
> appropriate means of securing them.  That's what firewalls, SBCs, intrusion
> detection systems, etc. are for.
>
> Your position is equivalent to saying that stock SSH should not return
> authentication errors for invalid passwords.  The proper solution to
> dictionary attacks is to firewall the SSH service, use RSA keys, VPNs, etc.,
> not to tell the maintainers of the OpenSSH project to come to its senses.
>
> --
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
>
>
> --
> ______________________________**______________________________**_________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/**mailman/listinfo/asterisk-**users<http://lists.digium.com/mailman/listinfo/asterisk-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110726/395b9fb4/attachment.htm>


More information about the asterisk-users mailing list