[asterisk-users] Allowing calls - maybe I'm just stupid...
A J Stiles
asterisk_list at earthshod.co.uk
Thu Jun 11 05:41:59 CDT 2015
On Thursday 11 Jun 2015, Luca Bertoncello wrote:
> Well, I decided to do that, since I have my Asterisk reachable from
> Internet just for my cellphone and I want to avoid that someone guess
> my password (random and long, but it's of course possible to guess
> with a brute force attack) and call using my Asterisk...
Really? How weak are your passwords, for you to be worried about brute-force
attacks?
If you configure fail2ban so as to block IP addresses after a set number of
false attempts and then unblock after (say) 15 minutes, you can drastically
limit the rate at which such attempts can be made without running the risk of
locking *yourself* out.
> Since I'll use rarely my Asterisk from Internet (maybe just if I'm in
> holiday), I find this limitation meaningful.
Well, Asterisk doesn't!
Did your mother ever tell you when you were younger and just beginning to
expand your horizons, "Always tell a grown-up where you are going, before you
go out" ? Well, that is essentially the purpose of SIP peer registration --
so your mother Asterisk knows where to find you, if an emergency arises a phone
call comes in.
You always need a username and password to make a call anyway. Introducing a
restriction, for you to have to be registered (using the *same* username and
password) before you can even make a call, will *not* make that any more
secure. Because an attacker who is guessing passwords still needs some way to
check them; and it's a fair bet that they will use the guessed passwords in
registration attempts. Which means that by the time they come to try to make
a call using those credentials, they will already be registered anyway!
If you are going to need occasionally to make possibly expensive phone calls
from random IP addresses, then you might consider using some form of out-of-
band authentication. For instance, have a web page on your Asterisk server,
protected by a *different* password, that must be visited to allow that IP
address a window of 15 minutes to connect to port 5060. (This in itself can
be problematic, if you are not extremely careful -- you absolutely do *not*
want to create a situation which can lead to arbitary remote command execution
as root. Anytime I have had to do root stuff from within a CGI script, I have
written to a file, not the actual commands but enough information to construct
them; meanwhile a root cron job run every minute reads the file, does a regexp
match on the content, maybe performs the relevant commands and then wipes out
the file. The downside of this is a delay before anything happens; but you can
use a bit of AJAX in the script output to check every ten seconds whether
anything has happened yet. No doubt others will have their own suggestions.)
It's good that you are thinking deeply about security, but beware not to get
drawn down blind alleys. For instance, if you have a door with a large,
single-glazed pane of 6 mm. glass, then there is little point fitting it with
an expensive, hard-to-pick lock.
--
AJS
Note: Originating address only accepts e-mail from list! If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150611/5398200e/attachment.html>
More information about the asterisk-users
mailing list