<div>Hmmm, if alwaysauthreject is already breaking RFC rules then why not break another rule for the greater good? It would only add another layer of security. </div><div><br></div><div>Maybe: <b>alwaysregreject=yes</b></div>
<div><b><br></b></div><div>*To drop SIP packets for both unauthorized registers and anonymous calls. Keep it off by default and then allow users to turn it on if they want to.</div>
<div><br></div><div>To be fair to OP, using Asterisk with open ports to the world is a legit use of Asterisk even if most of us don't employ it that way or use it solely with closed networks (VPN, etc...). There are many people who would benefit from a security feature that would simply ignore unauthorized registers and anonymous calls.</div>
<div><br></div><div>OP is suggesting an improvement to Asterisk; maybe people should weigh options and see if it's time to act more on the security side or not. There is no question that if a hacker knows there is a SIP server then they will keep the IP on the list for later use or share it with colleagues even if it seems secure right now. A DDoS is always a possibility and that you can't save yourself from at all.</div>
<div><br></div><div>Right now the situation is more like this:</div><div><br></div><div><b>Knock Knock:</b></div><div><b>Owner: </b>Whose there?</div><div><b>Thief:</b> This is Mr. X from China, and I am here to steal your TV.</div>
<div><b>Owner: </b>Hi, I am James Smith, 45, 190lbs and I have a nice laptop as well but I am home now and I can't let you in.</div><div><b>Thief (laughing):</b> No problem, I will come back at midnight when you are sleeping :-)</div>
<div><br></div><div>- Bruce</div><div><br></div><div><br></div><div><br><div class="gmail_quote">On Wed, Jul 27, 2011 at 2:20 PM, Matthew J. Roth <span dir="ltr"><<a href="mailto:mroth@imminc.com" target="_blank">mroth@imminc.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Kevin P. Fleming wrote:<br>
><br>
> 'alwaysauthreject' in not imcompliant with any RFCs; the RFCs define<br>
> response codes that *can* be used to indicate (for example) that the<br>
> Request URI does not represent a target known to the receiver (404 Not<br>
> Found), but does not mandate that the server respond with that code in<br>
> that situation.<br>
<br>
<br>
</div>Kevin,<br>
<br>
Thanks for the correction and I apologize if I'm propagating a<br>
misconception. Am I misunderstanding this Asterisk Security Advisory?<br>
<br>
<a href="http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html" target="_blank">http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html</a><br>
<br>
In 2006, the Asterisk maintainers made it more difficult<br>
to scan for valid SIP usernames by implementing an<br>
option called "alwaysauthreject"...<br>
<br>
...What we have done is to carefully emulate exactly the<br>
same responses throughout possible dialogs, which should<br>
prevent attackers from gleaning this information. All<br>
invalid users, if this option is turned on, will receive<br>
the same response throughout the dialog, as if a<br>
username was valid, but the password was incorrect.<br>
<br>
It is important to note several things. First, this<br>
vulnerability is derived directly from the SIP<br>
specification, and it is a technical violation of RFC<br>
3261 (and subsequent RFCs, as of this date), for us to<br>
return these responses...<br>
<br>
I am asking out of genuine curiosity, because I trust your assessment<br>
more than my interpretation of the advisory.<br>
<br>
Thank you,<br>
<div><br>
Matthew Roth<br>
InterMedia Marketing Solutions<br>
Software Engineer and Systems Developer<br>
<br>
--<br>
_____________________________________________________________________<br>
</div><div><div></div><div>-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br></div>