> I guess there should be some configurable options in Asterisk to cover > for that. Like 10 consecutive failed login attempts should invoke > asterisk to reply a login denied to that IP address and another option > that would allow for let's say 5 attempts in 5 minutes and then block > the extension for login. > > Make the login attempts number and blocking time configurable, > settable system wide with an option to override per extension would > close the hole.
This is one of the things that we discussed at Astridevcon in 2008, and several questions came up; 1. Should this even be Asterisk's responsibility, when it can already be implemented w/ external tools that are much better suited to the task, are already well supported and work really well: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk 2. What are the implementations of having a blocking scheme like this when you have 100 phones behind NAT? (The simple answer to this is to allow whitelisting of known address blocks) 3. It would be very difficult to develop a security model that works for ALL channel drivers. It is easier to think about using a method that works for chan_sip, but a more detailed framework is necessary for all other channel drivers. I believe that John Todd and Olle have some pretty detailed presentations regarding the discussion that was done: http://astridevcon.pbwiki.com/Network+Security+Framework.2008-09-28-23-35-38 http://edvina.net/asterisk/asa-intro.pdf _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
