> I'm still trying to figure that out. Our SIP usernames are seven digit
> phone numbers, so not really difficult to guess, but the passwords are 7
> char alpha-numeric strings, auto generated. We don't at present restrict
> people to their addresses, as some are dynamic.
If they're randomly generated (which might not be the same as
"auto generated") then that *ought* to be a big enough
namespace to provide reasonable resistance to cracking...
78 billion combinations at least (assuming upper-case alpha
and numeric characters).
Do your logs show a lot of failed registrations? A brute-
force password-guessing attack ought to show up in this way
(and is thus good fodder for a Fail2Ban auto-jailing).
You should check your Asterisk configuration to make
triple-sure that:
(1) Inbound "guest" calls go only to a restrictive context
which will allow calling of only your own specific
extensions, and
(2) You don't have DISA enabled on any extension... a
short DISA passcode and a guessable DISA extension
number could be an expensive vulnerability.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
