19 mar 2010 kl. 03.41 skrev Philipp von Klitzing: > Hey hey! > >>> My first step will be to strengthen the passwords in use, and for the >>> hardphones to restrict by IP address, but that still leaves the >>> softphone quite widely open. >> >> Asterisk doesn't differentiate between a hard phone and a soft phone. > > Although: One could think about enhancing Asterisk security by allowing > only a (number of) specific SIP user agent header (vendor, model) for a > SIP account - next to a strong password, of course. Or implement > something more dynamic like: Read and lock the current (or first) user > agent string, and then ping the admin if that changes and request an un- > lock/re-auth. Those are interesting ideas. We could implement a timeout for registrations, so that we only accept re-registrations while we have an active registration, and if that expires only accept new registrations after a timeout. This will delay access at reboots of the Asterisk server though. > >>> Does Asterisk 1.6 have anything in it that can automatically block out >>> an attacking IP, say if it receives several 20 or so failed attempts >>> from that IP in x minutes? > > It would still be important to have a sip.conf paramter in 1.4 that is > similar to "delayreject" in iax.conf! One of my system has been scanned > 3 times in the past days, and it takes just a little over a minute for a > 10.000 account registration scan.
The work I started during Christmas - Named ACL's - is a starting point that other developers can use to develop all kind of schemes. http://www.voip-forum.com/asterisk/2010-01/manageable-access-control-lists-asterisk-nacls/ /O -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
