SECURITY QUESTION & SANITY CHECK: If only my SIP ports and a small range of RTP ports are facing the public internet, what is the method by which an evildoer would be able to do fraudulent long distance on my nickel?
Would it REALLY be as simple as guessing the credentials for ANY of my local sip endpoints? Like most people, my local endpoint credentials would be easy to guess: Username is often just an extension number (101,2,3 etc), passwords are often found in the "top 2000 common passwords list" and more often in the few hundred thousand canonical words. I THINK the answer is YES, absolutely--Karl, go harden your installation! WHAT ARE BEST PRACTICES? PLEASE CRITIQUE! I think that one should at least: 1-use STRONG, random SIP passwords. Are these sent clear text across the internet? 2-Where possible one should not use auth names that match the extension number? ??? - please advise. I think one may want to: 3-Run IDS/IPS on their router. ??? - please advise. Without getting into the complexities of multi-homed, interface-specific bindings etc, are there additional precautions I should be taking? For example I tried to block registrations from other subnets as follows: [general] ... deny=0.0.0.0/0.0.0.0 ;deny all by default? permit=10.1.0.0/255.255.0.0 ;allow registrations from local subnet? But this seems to have no effect. Of course I may NOT have wanted its 'effect' if its effect would be to deny ALL SIP traffic from ALL places including my ITSP's and guest SIP URI invites. Obviously I ONLY want to disallow foreign REGISTRATIONS (from other subnets) while preserving inbound calls from ANYONE. Is there a way to do that without an SBC? For crude IPS/IDS is there an Asterisk method to blacklist registrations from a specific IP address after a certain number of failed registration attempts, or would I need an SBC or IDS/IPS for that? Thanks in advance to anyone takes a moment do a brain-dump on this topic! -Karl _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users