<p>Philipp, remembering sip user agent is a wondeful idea, and if you goggle it, somebody had made a patch for it, so that one could identify sip devices by their sip user agent names. Surprisingly the decision makers didn't like to put it in the production branch of asterisk at that time, however it is still avialble online somewhere as a patch for older releases of asterisk. I came across it when hackers where attacking my server on constant basis. I however ended up writing a security code within the dialplan to catch the sip user agent fields and ip addresses and compare them with info in the actual user database, which worked good for me. Here the only problem could be with change of sip user agent info, e.g. x-lite puts version number in sip user agent field, which changes as you upgrade it to newer versions. A relatively more complicated code probably will however recognize it. And a hacker can always send a fake sip user agent field if he is really desparate to hack your server, which can also be caught using fail2ban.</p>
<p><blockquote type="cite">On 2010-03-18 10:45 PM, "Philipp von Klitzing" <<a href="mailto:klitzing@pool.informatik.rwth-aachen.de">klitzing@pool.informatik.rwth-aachen.de</a>> wrote:<br><br>Hey hey!<br>
<br>
> > My first step will be to strengthen the passwords in use, and for the<br>
> > hardphones to restrict by IP address, but that still leaves the<br>
> > softphone quite widely open.<br>
><br>
> Asterisk doesn't differentiate between a hard phone and a soft phone.<br>
<br>
Although: One could think about enhancing Asterisk security by allowing<br>
only a (number of) specific SIP user agent header (vendor, model) for a<br>
SIP account - next to a strong password, of course. Or implement<br>
something more dynamic like: Read and lock the current (or first) user<br>
agent string, and then ping the admin if that changes and request an un-<br>
lock/re-auth.<br>
<br>
> > Does Asterisk 1.6 have anything in it that can automatically block out<br>
> > an attacking IP, say if it receives several 20 or so failed attempts<br>
> > from that IP in x minutes?<br>
<br>
It would still be important to have a sip.conf paramter in 1.4 that is<br>
similar to "delayreject" in iax.conf! One of my system has been scanned<br>
3 times in the past days, and it takes just a little over a minute for a<br>
10.000 account registration scan.<br>
<br>
Philipp<br>
<br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote></p>