[asterisk-users] Securing Asterisk

arcopix at erihon.com arcopix at erihon.com
Tue Jul 26 14:10:09 CDT 2011


Hello all,

Just out of curiosity, why are you not using something like fail2ban.
It tends to work flawlessly against brute force attacks. It works 
good on invalid registrations / invites / etc.

You can go pretty much fanatic with that tool (ban IP addr for a week
if
they fail to register more than 6 times).

What you are proposing is not hard to be achieved but it won't
introduce
any improvement in the security of any protocol supported by Asterisk.

Regards,
Stefan Lekov

On Tue, 26 Jul 2011 14:42:01 -0400, Alex Balashov
<abalashov at evaristesys.com> wrote:
> On 07/26/2011 02:33 PM, Bruce B wrote:
> 
>> I would have to err on the side of CDR to say that the only difference
>> in analogy you provided (SSH vs Asterisk) is that people lose much
>> more $$$$$$$$ in VoIP than they ever did in SSH hacking. So, if this
>> is an exceptional case bending a rule or two of RFC in favor of
>> security won't harm specially if it's provided as an
>> option.
> 
> Again:
> 
> _Applications are often conceptually distinct from the most
> appropriate means of securing them._
> 
> Moreover, as Kevin Fleming pointed out, refraining from responding to
> invalid credentials while continuing to responding to valid ones
> simply shifts the presentation of the information, from the point of
> view of the scanner.  It doesn't accomplish your goal at all.
> 
>> After-all, RFC does stand for Referral For Comment as in always
>> open to be improved.
> 
> Adopted ones are standards to be followed.
> 
> You're right, though;  the IETF SIP working group welcomes
> incremental improvements;  submit yours and see what they think.  If
> you get your draft adopted, I am sure Digium would be more than happy
> to implement it in chan_sip.
> 
>> I think it's a good idea if such a security "option" is provided by
>> default in Asterisk knowing it can save a lot of headache. If
>> budget is an issue maybe make it a bounty and watch support pouring
>> in...........
> 
> The issue is not lack of resources, but rather that it's conceptually
> incorrect behaviour, and that the UAS is the wrong place to solve this
> problem.
> 
> The best advice that has been given in relation to this topic so far
> came from Lee Howard earlier today:
> 
> http://lists.digium.com/pipermail/asterisk-users/2011-July/265012.html
> 
> -- 
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list