[AsteriskBrasil] WeFone Seguro na Web

[Glauber]

Seguinte, a própria digium aponta alguns pontos de vurabilidade que devem ser visto em uma aplicação asterisk que roda em uma rede púlica, tenho em inglês mas da pra ter noção de algumas coisas, eu sempre foco a mais importante de todas que é :    allowguest=no  setado no general do  sip.conf usado para não permitir ligações de usuários serm credenciais..mas todas devem ser estudadas.... segue abaixo..

 

 

Seven Easy Steps to Better SIP Security on Asterisk:

 

1) Don’t accept SIP authentication requests from all IP addresses. Use the “permit=� and

“deny=� lines in sip.conf to only allow a reasonable subset of IP addresess to reach each

listed extension/user in your sip.conf file. Even if you accept inbound calls from

“anywhere� (via [default]) don’t let those users reach authenticated elements!

 

2) Set “alwaysauthreject=yes� in your sip.conf file. This option has been around for a

while (since 1.2?) but the default is “no�, which allows extension information leakage.

Setting this to “yes� will reject bad authentication requests on valid usernames with the same

rejection information as with invalid usernames, denying remote attackers the ability to detect

existing extensions with brute-force guessing attacks.

 

3) Use STRONG passwords for SIP entities. This is probably the most important step you

can take. Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen

how sophisticated the tools are that guess passwords, you’d understand that trivial

obfuscation like that is a minor hinderance to a modern CPU. Use symbols, numbers, and a

mix of upper and lowercase letters at least 12 digits long.

 

4) Block your AMI manager ports. Use “permit=� and “deny=� lines in manager.conf to

reduce inbound connections to known hosts only. Use strong passwords here, again at least

12 characters with a complex mix of symbols, numbers, and letters.

 

5) Allow only one or two calls at a time per SIP entity, where possible. At the worst,

limiting your exposure to toll fraud is a wise thing to do. This also limits your exposure when

Seven Steps to Better SIP Security with Asterisk | Digium - The Asterisk Company ... Página 1 de 2

http://blogs.digium.com/2009/03/28/sip-security/ 25/02/2010

legitimate password holders on your system lose control of their passphrase – writing it on the

bottom of the SIP phone, for instance, which I’ve seen.

 

6) Make your SIP usernames different than your extensions. While it is convenient to

have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy

target for attackers to guess SIP authentication names. Use the MAC address of the device,

or some sort of combination of a common phrase + extension MD5 hash (example: from a

shell prompt, try “md5 -s ThePassword5000″)

 

7) Ensure your [default] context is secure. Don’t allow unauthenticated callers to reach any

contexts that allow toll calls. Permit only a limited number of active calls through your

default context (use the “GROUP� function as a counter.) Prohibit unauthenticated calls

entirely (if you don’t want them) by setting “allowguest=no� in the [general] part of sip.conf.

These 7 basics will protect most people, but there are certainly other steps you can take that are

more complex and reactive. Here is a fail2ban recipe which might allow you to ban endpoints

based on volume of requests. There is discussion on the asterisk-user and asterisk-dev mailing

lists of incorporating this type of functionality into Asterisk – let’s hear your ideas!

If you’d like to see an example of the tools that you’re up against, see this demo video of an

automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.

In summary: basic security measures will protect you against the vast majority of SIP-based bruteforce

attacks. Most of the SIP attackers are fools with tools – they are opportunists who see an

easy way to defraud people who have not considered the costs of insecure methods. Asterisk has

some methods to prevent the most obvious attacks from succeeding at the network level, but the

most effective method of protection are the administrative issues of password robustness and

username obscurity.

 

 

 

From: asteriskbrasil-bounces em listas.asteriskbrasil.org [mailto:asteriskbrasil-bounces em listas.asteriskbrasil.org] On Behalf Of Alexandre Ricardo Souza Silva
Sent: quarta-feira, 3 de março de 2010 22:40
To: asteriskbrasil em listas.asteriskbrasil.org
Subject: [AsteriskBrasil] WeFone Seguro na Web

 

Salve Galera,

 

                Preciso de uma ajuda de vcs,

 

                Tenho um site que os cliente entra e fala comigo ( WebFone) , um tempo atrás teve um pessoal da China tentando invadir a porta do meu asterisk , fechei a porta do serviço, até eu resolver uma maneira de deixar ativo e seguro esta porta.

 

                Estava pensando em colocar um Asterisk em um VmWare e fazer uma configuração trunk entre esta Vm com o meu Asterisk, caso ocorra algum tipo de invasão só vai conseguir discar de um asterisk para o outro e nada mais.

 

                Alguém já fez isso ou tem alguma dica para me ajudar neste problema.

 

                Fazendo isso acho que fica mais seguro o asterisk .

 

 

Fico no Aguardo

 

Abraço

Alexandre

-------------- Próxima Parte ----------
Um anexo em HTML foi limpo...
URL: http://listas.asteriskbrasil.org/pipermail/asteriskbrasil/attachments/20100304/aa2c978b/attachment-0001.htm