On Sunday 13 June 2010 13:46:36 Tzafrir Cohen wrote: > On Sun, Jun 13, 2010 at 10:59:43AM -0700, Dave Platt wrote: > > The O.P. seems to have made two (fairly common) mistakes: > > [snip] > > > - Used the user's extension number as the SIP user ID... and > > thus making it easy to figure out which user IDs on which a > > password attack could be carried out. > > Sadly this is something that FreePBX (and probably other systems) force > you to do. > > One other minor nit: > > One of your best tools is a program or script to generate > > random sequences of letters and digits and other legal- > > in-SIP-names characters. Try something like > > > > dd if=/dev/urandom bs=512 count=1 | base64 > > > > and then copy some 10- or 12-character substrings out of this > > mass of gibberish and use 'em for SIP secrets. With this many > > bits of randomness in the secrets, they'll be effectively > > invulnerable to guessing or brute force attacks. > > Ahem. If you only want that many characters, just get less random bits. > > This will get you 128 (16 * 8) [pseudo?]random bits: > > head /dev/urandom -c 16 | base64
I would generally suggest something a little more deterministic (where 101 is your extension): $ echo '101This is a salt' | sha1sum 22c3c098bfc2289396af84ecfb1ab77419a6537e Pick your salt to be unique per site, guard the salt jealously, and you'll be fine. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com & www.asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
