Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 23/07/11 04:48, Bruce B wrote: Quote,/How do the users register to begin with, if their REGISTER requests won't be processed unless their IP is already known to be a registrant? :-)/ Well, unfortunately I don't have the luxury of knowing their IP and the closest I know is their IP range. Then I don't understand what the point would be. You'll have to leave Asterisk responding to all Register requests (and to be fair all the attacks I've seen have been done by sending Register requests anyway). I use OSSEC on my Asterisk systems to handle iptables rule generation on the fly. You could write your own rule(s) for that to block source IP addresses sending you Invites when they aren't Registered. cheers, Paul. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
I think fail2ban can help in this issue. Regards, Mitesh Thakkar +91 94279 07952 Yahoo: miteshthakkar...@yahoo.co.in GTalk: mail.mthak...@gmail.com On Sat, Jul 23, 2011 at 10:04 AM, Bruce B bruceb...@gmail.com wrote: Robert thanks for weighing in. So, you are saying that FreeSwitch on it's own can tackle issues like this without the need of OpenSIPs? Can you elaborate please? Thanks On Sat, Jul 23, 2011 at 12:17 AM, Robert-iPhone rhuddles...@gmail.com wrote: I like to put mine on 3389 hahaha just kidding. Personally I'm starting to convert to FreeSwitch - oops I had to say it. Security can be difficult and there are some good SBCs out there - just begs investment in technology - OH and bright staff Sent from my iPhone On Jul 23, 2011, at 12:09 AM, Steve Edwards asterisk@sedwards.com wrote: On Fri, 22 Jul 2011, Bruce B wrote: 1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give me the full capability to the SIP stack to do the sort of thing I was asking for? And this can run on the same server as Asterisk is running? Configure OpenSIPS to listen to 5060 and Asterisk to listen to 5061. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
Not really. It's only good after DECLINED is sent. On Sat, Jul 23, 2011 at 2:08 AM, Mitesh Thakkar mail.mthak...@gmail.comwrote: I think fail2ban can help in this issue. Regards, Mitesh Thakkar +91 94279 07952 Yahoo: miteshthakkar...@yahoo.co.in GTalk: mail.mthak...@gmail.com On Sat, Jul 23, 2011 at 10:04 AM, Bruce B bruceb...@gmail.com wrote: Robert thanks for weighing in. So, you are saying that FreeSwitch on it's own can tackle issues like this without the need of OpenSIPs? Can you elaborate please? Thanks On Sat, Jul 23, 2011 at 12:17 AM, Robert-iPhone rhuddles...@gmail.com wrote: I like to put mine on 3389 hahaha just kidding. Personally I'm starting to convert to FreeSwitch - oops I had to say it. Security can be difficult and there are some good SBCs out there - just begs investment in technology - OH and bright staff Sent from my iPhone On Jul 23, 2011, at 12:09 AM, Steve Edwards asterisk@sedwards.com wrote: On Fri, 22 Jul 2011, Bruce B wrote: 1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give me the full capability to the SIP stack to do the sort of thing I was asking for? And this can run on the same server as Asterisk is running? Configure OpenSIPS to listen to 5060 and Asterisk to listen to 5061. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 11-07-23 12:34 AM, Bruce B wrote: Robert thanks for weighing in. So, you are saying that FreeSwitch on it's own can tackle issues like this without the need of OpenSIPs? Can you elaborate please? If true, I'd be curious to see how they accomplish it. I've never tried FreeSwitch but as more and more people mention it I should take some time to play with it. However, from a SIP point of view, not replying to an INVITE message is not an option according to the SIP RFC[1] 13.3.1.3 The INVITE is Rejected A common scenario occurs when the callee is currently not willing or able to take additional calls at this end system. A 486 (Busy Here) SHOULD be returned in such a scenario. If the UAS knows that no other end system will be able to accept this call, a 600 (Busy Everywhere) response SHOULD be sent instead. However, it is unlikely that a UAS will be able to know this in general, and thus this response will not usually be used. The response is passed to the INVITE server transaction, which will deal with its retransmissions. A UAS rejecting an offer contained in an INVITE SHOULD return a 488 (Not Acceptable Here) response. Such a response SHOULD include a Warning header field value explaining why the offer was rejected. [1] http://www.ietf.org/rfc/rfc3261.txt -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 07/23/2011 04:00 PM, Paul Belanger wrote: A UAS rejecting an offer contained in an INVITE SHOULD return a 488 (Not Acceptable Here) response. Such a response SHOULD include a Warning header field value explaining why the offer was rejected. If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC created by people who had no appreciation for the rather ugly world out there then why not throw the RFC out of the window and *not* reject an invite with a 488? It sounds like an interesting option to add to 10/trunk. Better secure than compliant sorry. Why not do a little Microsoft Embrace Extent? Like e.g. Sonus and Cisco do with their interpretation of SIP. Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 11-07-23 11:48 AM, Patrick Lists wrote: On 07/23/2011 04:00 PM, Paul Belanger wrote: A UAS rejecting an offer contained in an INVITE SHOULD return a 488 (Not Acceptable Here) response. Such a response SHOULD include a Warning header field value explaining why the offer was rejected. If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC created by people who had no appreciation for the rather ugly world out there then why not throw the RFC out of the window and *not* reject an invite with a 488? It sounds like an interesting option to add to 10/trunk. Better secure than compliant sorry. Why not do a little Microsoft Embrace Extent? Like e.g. Sonus and Cisco do with their interpretation of SIP. Personally, I don't see this as a solutions. SIP already provides some ability to help with security (EG: TLS, SRTP) however that is basically the extent of it. The way I see it, it is outside the scope of SIP; it's a signaling protocol. If 'security' is really something you want to establish, many existing tools are available to handle this (EG: VPN, firewalls, encryption, etc). As previously mentioned, there is no easy, simple solution. Securing ones services takes work (and time) to do it right. Most people don't want to spend the effort monitoring it. -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 07/22/2011 07:32 PM, Bruce B wrote: Hello, I am wondering if there is a way to drop SIP packets for generic transactions? For example, only SIP PEERs are allowed to call in and receive ACK or Declined rather that those inviting a call who are not PEERs at all. Currently my Asterisk setup sends, *SIP/2.0 603 Declined *to any stranger invites because my dialplan includes Hangup(). Is there any way I can not send a 603 declined so to mislead the probe runner? There is really no way to accomplish that except with a firewall. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
Thanks for the input. I am really surprised. But yes, I want exactly what firewall does, DROP packet instead of REJECTING it. So, you are saying that one has to tamper the SIP stack to add the option to not respond to un-trusted sources? I really thought Asterisk might have this built in as a feature. I can't even do a dialplan search for a registered PEER because even if I find the IP to not be a trusted I still need to Hangup() on the invite which in turn send 603 Declined. There isn't really any work-around to this? Thanks again On Fri, Jul 22, 2011 at 7:39 PM, Alex Balashov abalas...@evaristesys.comwrote: On 07/22/2011 07:32 PM, Bruce B wrote: Hello, I am wondering if there is a way to drop SIP packets for generic transactions? For example, only SIP PEERs are allowed to call in and receive ACK or Declined rather that those inviting a call who are not PEERs at all. Currently my Asterisk setup sends, *SIP/2.0 603 Declined *to any stranger invites because my dialplan includes Hangup(). Is there any way I can not send a 603 declined so to mislead the probe runner? There is really no way to accomplish that except with a firewall. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- __**__**_ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/**mailman/listinfo/asterisk-**usershttp://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
Asterisk does not expose low-level control of its SIP stack. It's something intended to be configured and used at the application level. If you really want to do this without a firewall, put a Kamailio proxy in front of your Asterisk install and drop things as you see fit. But why go through the trouble? What's wrong with iptables? -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ On Jul 22, 2011, at 9:30 PM, Bruce B bruceb...@gmail.com wrote: Thanks for the input. I am really surprised. But yes, I want exactly what firewall does, DROP packet instead of REJECTING it. So, you are saying that one has to tamper the SIP stack to add the option to not respond to un-trusted sources? I really thought Asterisk might have this built in as a feature. I can't even do a dialplan search for a registered PEER because even if I find the IP to not be a trusted I still need to Hangup() on the invite which in turn send 603 Declined. There isn't really any work-around to this? Thanks again On Fri, Jul 22, 2011 at 7:39 PM, Alex Balashov abalas...@evaristesys.com wrote: On 07/22/2011 07:32 PM, Bruce B wrote: Hello, I am wondering if there is a way to drop SIP packets for generic transactions? For example, only SIP PEERs are allowed to call in and receive ACK or Declined rather that those inviting a call who are not PEERs at all. Currently my Asterisk setup sends, *SIP/2.0 603 Declined *to any stranger invites because my dialplan includes Hangup(). Is there any way I can not send a 603 declined so to mislead the probe runner? There is really no way to accomplish that except with a firewall. -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 11-07-22 07:32 PM, Bruce B wrote: Hello, I am wondering if there is a way to drop SIP packets for generic transactions? For example, only SIP PEERs are allowed to call in and receive ACK or Declined rather that those inviting a call who are not PEERs at all. Currently my Asterisk setup sends, *SIP/2.0 603 Declined *to any stranger invites because my dialplan includes Hangup(). Is there any way I can not send a 603 declined so to mislead the probe runner? Have you tried disabling guests? sip.conf [general] allowguest=no -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
Paul, Won't that just send a 403 Forbidden? -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/ On Jul 22, 2011, at 9:48 PM, Paul Belanger pabelan...@digium.com wrote: On 11-07-22 07:32 PM, Bruce B wrote: Hello, I am wondering if there is a way to drop SIP packets for generic transactions? For example, only SIP PEERs are allowed to call in and receive ACK or Declined rather that those inviting a call who are not PEERs at all. Currently my Asterisk setup sends, *SIP/2.0 603 Declined *to any stranger invites because my dialplan includes Hangup(). Is there any way I can not send a 603 declined so to mislead the probe runner? Have you tried disabling guests? sip.conf [general] allowguest=no -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
On 11-07-22 09:51 PM, Alex Balashov wrote: Paul, Won't that just send a 403 Forbidden? I believe so, but I was proposing a different SIP message then 603 Declined. As you mentioned, a firewall is the real solution if OP wants to drop packets. Asterisk is a B2BUA, not a firewall. -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Securing Asterisk - How to avoid sending, SIP/2.0 603 Declined
Robert thanks for weighing in. So, you are saying that FreeSwitch on it's own can tackle issues like this without the need of OpenSIPs? Can you elaborate please? Thanks On Sat, Jul 23, 2011 at 12:17 AM, Robert-iPhone rhuddles...@gmail.comwrote: I like to put mine on 3389 hahaha just kidding. Personally I'm starting to convert to FreeSwitch - oops I had to say it. Security can be difficult and there are some good SBCs out there - just begs investment in technology - OH and bright staff Sent from my iPhone On Jul 23, 2011, at 12:09 AM, Steve Edwards asterisk@sedwards.com wrote: On Fri, 22 Jul 2011, Bruce B wrote: 1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give me the full capability to the SIP stack to do the sort of thing I was asking for? And this can run on the same server as Asterisk is running? Configure OpenSIPS to listen to 5060 and Asterisk to listen to 5061. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users