Comments on: Seven Steps to Better SIP Security with Asterisk

By: marvinek

marvinek — Mon, 07 Nov 2011 13:16:06 +0000

To protect against massive attacks — I use the linux iptables string matching ability to count registrations/invites an when the ip exceeds allowed limits it is banned. It is IMHO not a good idea to let asterisk to protect himself since it will allways be more cpu consuming than to use firewall. it works for me on large sites (hundrets of peers). I can share details of my setup if anyone interested
marv

By: Asterisk General | Tip #1: Use non-numeric usernames | All Things VoIP - VoIP Phones, VoIP Products, VoIP Services, etc...

Tue, 02 Aug 2011 15:15:28 +0000

[...] in parts of this book we use the MAC address of a SIP phone as its account name in Asterisk.From http://blogs.digium.com/2009/03/28/sip-security/ :Quote:Make your SIP usernames different than your extensions.How can digium make such statements [...]

By: Asterisk General | Re: YOU MUST READ THE SECURITY DOCUMENT | All Things VoIP - VoIP Phones, VoIP Products, VoIP Services, etc...

Fri, 08 Jul 2011 17:04:56 +0000

[...] base directory of the sources. quite some valuable info thereYeah, the doc contains references to http://blogs.digium.com/2009/03/28/sip-security/ and also suggests using type= friend for your phones. I think I will pass Statistics : Posted by [...]

By: Asterisk General | Re: Fail2ban: False sense of security | All Things VoIP - VoIP Phones, VoIP Products, VoIP Services, etc...

Wed, 06 Jul 2011 21:50:22 +0000

[...] General | Re: Fail2ban: False sense of security Posted on July 6, 2011 by malcolmd thor wrote:http://blogs.digium.com/2009/03/28/sip-security/Yup, I remember that. I did some searching before responding and that came up. I didn't consider [...]

By: Tim Osman

Tim Osman — Wed, 06 Jul 2011 16:36:20 +0000

This writeup is getting old pretty fast.

i) there was AST-2011-003 which 4) did nothing to prevent.

ii) fail2ban is a useless tool for blocking bruteforce attacks which do not use REGISTER methods.

iii) point 6) is rather problematic with people using config managers like FreePBX. This is wishful thinking at its finest.

iiii) point 2) does nothing to prevent extension scanning. It is possible the patch from AST-2011-011 did fix the problem.

By: Chris

Chris — Tue, 30 Nov 2010 00:24:38 +0000

Some nice information, I am a home user but I am glade I had done some of this before I read this, I have added some points. Other parts well I might save them when I allow access from outside my private LAN. One thing I would like to see is a delay in the fail response or even better a progressive back off per IP i.e. first error is normal, then say 500ms then 1s then 2s 4s and so on. When I am hit I see over 100 attempts in a second faster than the fail2ban can respond although I am trying to improve this. If posible being able to do what fail2ban does from within asterisk i.e. send failure info to a module that can record the IP etc and trigger external events if triggers are met.

By: jtodd

jtodd — Thu, 14 Oct 2010 14:49:50 +0000

Jeff – I don’t know precisely how one would do that in FreePBX. The problem is that FreePBX doesn’t really let you get under the hood as much as I am typically used to. There are limits in later versions of Asterisk in the sip.conf file, but I’d do it “manually” by creating a group that has counters associated with it in the dialplan.

By: Jeff

Jeff — Thu, 14 Oct 2010 04:28:46 +0000

You said, ‘It’s good practice to give a non-numeric, unrelated authentication name to your SIP entries that is different from the numeric extension that people typically use to call that “device”.’ But as far as I know it’s now possible to do that when using FreePBX, and a LOT of Asterisk users also use FreePBX.

The biggest problem many of us have is the remote extension (not sitting on your LAN, but somewhere else out on the wide open Internet) that is at some random IP address that could change at the whim of the user’s ISP (or, if the user moves, even if only temporarily). In some cases the authentication name and the password were programmed into the phone and device before they were given/sent to the user, so there’s no way to change them, and trying to talk the user through changing them would be an exercise in frustration. One tool I have wished for is something that would at least allow geographic blocking, so that if you have a user in Minnesota and you get a connection from Nigeria purporting to be that user, you can kick them off and ban them, even if they authenticate correctly. One example of a way to do this is shown at http://michigantelephone.wordpress.com/2010/07/07/geolock-%E2%80%94-a-perl-script-for-asterisk-or-freepbx-users-to-enhance-security/ but as written it only allows limitation by country (so while you could maybe shut down the user from Nigeria, you might not be able to give the boot to a hacker from Utah), and it doesn’t update its database automatically. Also, it’s a Perl script, and I think many users find Perl a bit difficult to work with).

Finally, I’m confused by your fifth item. How do you “Allow only one or two calls at a time per SIP entity, where possible.” IS that even possible when FreePBX is used?

By: Is your Asterisk Server Secure? « DIDForSale

Is your Asterisk Server Secure? « DIDForSale — Mon, 06 Sep 2010 04:24:13 +0000

[...] link has nice tips. http://blogs.digium.com/2009/03/28/sip-security/ Here I copy pasted important steps. 1) Don’t accept SIP authentication requests from all IP [...]

By: Nerd Vittles » Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Mon, 12 Jul 2010 20:50:34 +0000

[...] Digium Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look! [...]