<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:TimesNewRomanPSMT;
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=PT-BR link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Seguinte, a própria digium aponta alguns pontos de vurabilidade que devem ser visto em uma aplicação asterisk que roda em uma rede púlica, tenho em inglês mas da pra ter noção de algumas coisas, eu sempre foco a mais importante de todas que é : allowguest=no setado no general do sip.conf usado para não permitir ligações de usuários serm credenciais..mas todas devem ser estudadas.... segue abaixo..<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>Seven Easy Steps to Better SIP Security on Asterisk:<o:p></o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>1) Don’t accept SIP authentication requests from all IP addresses. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>Use the “permit=” and<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>“deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>listed extension/user in your sip.conf file. Even if you accept inbound calls from<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>“anywhere” (via [default]) don’t let those users reach authenticated elements!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>2) Set “alwaysauthreject=yes” in your sip.conf file. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>This option has been around for a<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>while (since 1.2?) but the default is “no”, which allows extension information leakage.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>Setting this to “yes” will reject bad authentication requests on valid usernames with the same<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>rejection information as with invalid usernames, denying remote attackers the ability to detect<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>existing extensions with brute-force guessing attacks.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>3) Use STRONG passwords for SIP entities. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>This is probably the most important step you<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>can take. Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>how sophisticated the tools are that guess passwords, you’d understand that trivial<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>obfuscation like that is a minor hinderance to a modern CPU. Use symbols, numbers, and a<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>mix of upper and lowercase letters at least 12 digits long.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>4) Block your AMI manager ports. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>Use “permit=” and “deny=” lines in manager.conf to<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>reduce inbound connections to known hosts only. Use strong passwords here, again at least<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>12 characters with a complex mix of symbols, numbers, and letters.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>5) Allow only one or two calls at a time per SIP entity, where possible. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>At the worst,<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>limiting your exposure to toll fraud is a wise thing to do. This also limits your exposure when<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>Seven Steps to Better SIP Security with Asterisk | Digium - The Asterisk Company ... Página 1 de 2<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>http://blogs.digium.com/2009/03/28/sip-security/ 25/02/2010<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>legitimate password holders on your system lose control of their passphrase – writing it on the<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>bottom of the SIP phone, for instance, which I’ve seen.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>6) Make your SIP usernames different than your extensions. </span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>While it is convenient to<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>target for attackers to guess SIP authentication names. Use the MAC address of the device,<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>or some sort of combination of a common phrase + extension MD5 hash (example: from a<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>shell prompt, try “md5 -s ThePassword5000″)<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='text-autospace:none'><b><span lang=EN-US style='color:black'>7) Ensure your [default] context is secure</span></b><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>. Don’t allow unauthenticated callers to reach any<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>contexts that allow toll calls. Permit only a limited number of active calls through your<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>default context (use the “GROUP” function as a counter.) Prohibit unauthenticated calls<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>These 7 basics will protect most people, but there are certainly other steps you can take that are<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>more complex and reactive. Here is a </span><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:#0065CD'>fail2ban recipe </span><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>which might allow you to ban endpoints<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>based on volume of requests. There is discussion on the asterisk-user and asterisk-dev mailing<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>lists of incorporating this type of functionality into Asterisk – let’s hear your ideas!<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>If you’d like to see an example of the tools that you’re up against, see </span><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:#0065CD'>this demo video </span><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>of an<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>In summary: basic security measures will protect you against the vast majority of SIP-based bruteforce<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>attacks. Most of the SIP attackers are fools with tools – they are opportunists who see an<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>easy way to defraud people who have not considered the costs of insecure methods. Asterisk has<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>some methods to prevent the most obvious attacks from succeeding at the network level, but the<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>most effective method of protection are the administrative issues of password robustness and<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span lang=EN-US style='font-family:"TimesNewRomanPSMT","serif";color:black'>username obscurity.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> asteriskbrasil-bounces@listas.asteriskbrasil.org [mailto:asteriskbrasil-bounces@listas.asteriskbrasil.org] <b>On Behalf Of </b>Alexandre Ricardo Souza Silva<br><b>Sent:</b> quarta-feira, 3 de março de 2010 22:40<br><b>To:</b> asteriskbrasil@listas.asteriskbrasil.org<br><b>Subject:</b> [AsteriskBrasil] WeFone Seguro na Web<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Salve Galera,</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Preciso de uma ajuda de vcs,</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Tenho um site que os cliente entra e fala comigo ( WebFone) , um tempo atrás teve um pessoal da China tentando invadir a porta do meu asterisk , fechei a porta do serviço, até eu resolver uma maneira de deixar ativo e seguro esta porta.</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Estava pensando em colocar um Asterisk em um VmWare e fazer uma configuração trunk entre esta Vm com o meu Asterisk, caso ocorra algum tipo de invasão só vai conseguir discar de um asterisk para o outro e nada mais.</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Alguém já fez isso ou tem alguma dica para me ajudar neste problema.</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> Fazendo isso acho que fica mais seguro o asterisk .</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Fico no Aguardo</span><o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Abraço</span><o:p></o:p></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Alexandre</span><o:p></o:p></p></div></div></body></html>