<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"MS Gothic";
        panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:"MS Gothic";
        panose-1:2 11 6 9 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0mm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0mm;
        mso-margin-bottom-alt:auto;
        margin-left:0mm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.18
        {mso-style-type:personal-reply;
        font-family:"Arial","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:99.25pt 30.0mm 30.0mm 30.0mm;}
div.WordSection1
        {page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026">
<v:textbox inset="5.85pt,.7pt,5.85pt,.7pt" />
</o:shapedefaults></xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=JA link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Well, I’m not sure actually. I was attacked in June by
someone who racked up between $800 and $900 in international calls to places in
the middle of Africa, Korea, etc. So, I am motivated to secure this. I have
made it much much more secure, definitely, but am looking for as many ways to
further lock this down as possible.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>I figure that I should filter every field that someone could
possible interact with Asterisk in case they send characters that might breach
security and allow them some kind of access. Symbols like the amperstand
(&), comma (,), forward slash (/), at (@), pipe (|), etc. I would guess
could be bad.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Someone from Amsterdam was trying to register yesterday using an
automated program which tried roughly 1,000 or so username password
combinations before I shut asterisk down and added his/her ip to iptables to
drop it. I wonder if I can configure the system to automatically detect such an
attack in progress (e.g., a 1,000+ registration failures from the same ip is an
‘attack’) and the ip’s to iptables, hosts.deny, etc. on the
fly. That might be another topic I guess?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>This experience has emphasized the importance of securing the
system and security in asterisk in general.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Any insight on this would be really appreciated!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'>Thanks!!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0mm 0mm 0mm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] <b>On Behalf Of </b>mike
mosier<br>
<b>Sent:</b> Saturday, August 07, 2010 11:52 AM<br>
<b>To:</b> Asterisk Users Mailing List - Non-Commercial Discussion<br>
<b>Subject:</b> Re: [asterisk-users] Security - What inbound variables can
attackers populate or use when calling?<o:p></o:p></span></p>
</div>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p><span lang=EN-US>What kind of attack can they reform calling in?<o:p></o:p></span></p>
<p><span lang=EN-US>On Aug 6, 2010 1:12 AM, <<a
href="mailto:jwexler@mail.usa.com">jwexler@mail.usa.com</a>> wrote:<br>
> I am setting filters, etc. on variables that attackers can send asterisk<br>
> when they call (for example when they initially call into asterisk).<br>
> <br>
> So far, I am filtering:<br>
> <br>
> exten<br>
> <br>
> CALLERID(name)<br>
> <br>
> CALLERID(num)<br>
> <br>
> <br>
> <br>
> What other fields or variables would an attacker be able to use in the<br>
> packets that they send when placing the call to asterisk?<br>
> <br>
> <br>
> <br>
> Further, I am assuming that in the case that an attacker, first, simply<br>
> dials in normally and then after reaching voice prompts or other, starts<br>
> his/her attack, then all I need to filter in that case is exten. Anything<br>
> else here as well?<br>
> <br>
> <br>
> <br>
> Thanks!!<br>
> <o:p></o:p></span></p>
</div>
</body>
</html>