[asterisk-users] Securing Asterisk

[Steven Howes]

On 27 Jul 2011, at 17:11, CDR wrote:
> This is turning into a political issue such as the one in Washington
> and the impending default on US debt.

No, YOU are turning this into a political discussion.

> The point is that a minor change
> in the code would have a dramatic effect on security, and carry a
> lower impact on CPU that using Iptables. The simplicity of the change
> cannot understated. The hackers do not continue sending packets with
> new REGISTER attempts unless they see a response. The would move on.

Much as they do after you firewall them out. Have you ever tried? No? Too busy blaming others is suspect.

> Digium is being monarchical about this.

Why do you keep blaming Digium? Asterisk is made by a community.

> It looks like a loss of contact with reality.

Couldn't agree more.

> The vast ecosystem of Digium is made of hundreds
> of people like me. I am being forced now to place Opensips in front of
> Asterisk, in port 5060, set Asterisk to listen at Port 5061, and block
> access to 5061 from outside. Instead of a minor change, I have to
> bring a second application to the picture.

There, problem solved.

> The reason why I find useless using iptables and a rule that bans an
> IP address if it communicates more than a threshold of times, is
> simple. I have customers that hit me 10+ times per seconds from the
> same IP. It would look like a hacker, and it is not.

Which is why you don't use packet count, you look in the logs for auth failures.

> I use a cluster of Asterisk in the same box, a big server, and each asterisks listens
> in its own network interface, and responds from it. It does work. But
> iptables or fail2ban would not work in a wholesale scenario.
> Any way, thanks for your attention.

Sure it would. If they're hacking one, you can block them from the lot.. I see no problem. Just make it look at all of the logs.

S