[asterisk-users] asterisk security framework

hi, i'm trying configure $subj https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger but there is a ton of "informational" messages [Sep 30 14:40:16] SECURITY[18311] res_security_log.c:

[asterisk-users] Asterisk Security: Allow only one phone per sip registration

Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

- Original Message - From: Sam Muro resea...@businesstz.com To: asterisk-users@lists.digium.com Sent: Friday, October 14, 2011 2:02:01 AM Subject: [asterisk-users] Asterisk Security: Allow only one phone per sip registration Hi there Consider this. You have three SIP extension

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Terry Wilson wrote: - Original Message - From: Sam Muro resea...@businesstz.com To: asterisk-users@lists.digium.com Sent: Friday, October 14, 2011 2:02:01 AM Subject: [asterisk-users] Asterisk Security: Allow only one phone per sip registration Hi there Consider this. You have

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

On Fri, 2011-10-14 at 10:02 +0300, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Is there a way one can bind sip account to specific mac-address (assume on the same subnet). In this way, even if you know the username/secret, you will still have to use the same physical phone, unless you play with mac-address. No. And mac addresses are easily spoofed so it would not

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Terry Wilson wrote: Is there a way one can bind sip account to specific mac-address (assume on the same subnet). In this way, even if you know the username/secret, you will still have to use the same physical phone, unless you play with mac-address. No. And mac addresses are easily

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Thanks. Let me see how best i can complicate them per phone. Ooops, 1000 sip phones If it were me, I would look into Asterisk Realtime for handling the SIP phones. I would then write a script to generate the configs for the phones into the SIP realtime database with random passwords. Match

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Thanks Terry! Let me think of all possibilities and shall holla. Can you be one? Terry Wilson wrote: Thanks. Let me see how best i can complicate them per phone. Ooops, 1000 sip phones If it were me, I would look into Asterisk Realtime for handling the SIP phones. I would then write a

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

On Friday 14 October 2011, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

the best way to handle large sip client base is using provisioning interface. Even though you can create configuration files and server them with asterisk+extensions, you need to consider security aspects of this approach as well. Using tftp or simple protocols to server config files works on

Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration

Thanks A.J I know and I can assure you no one will get that physical access to the system. A J Stiles wrote: On Friday 14 October 2011, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those

[asterisk-users] asterisk security....again

Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I

Re: [asterisk-users] asterisk security....again

On 28 Feb 2011, at 10:33, Rizwan Hisham wrote: The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers

Re: [asterisk-users] asterisk security....again

On Monday 28 Feb 2011, Steven Howes wrote: 'asterisk security' is a misleading subject line. Guessing someone just scanned some IP addresses and made calls. You need what's called a 'firewall'. Well, assuming you're on Linux then you've already *got* a firewall. Just add some iptables rules

Re: [asterisk-users] asterisk security....again

Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or

Re: [asterisk-users] asterisk security....again

thanks for the replies. I dont want to rule-out the possibility of network sniffing. I am sure its not an inside job. The server is off-site and is hosted by a very well reputed hosting company. So if someone is sniffing, what should I do? Probably, you are receiving INVITE attacks from some

Re: [asterisk-users] asterisk security....again

...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Ricardo Carvalho Sent: Monday, February 28, 2011 6:31 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk securityagain Probably, you are receiving INVITE

Re: [asterisk-users] asterisk security....again

side, not the server. *From:* asterisk-users-boun...@lists.digium.com [mailto: asterisk-users-boun...@lists.digium.com] *On Behalf Of *Ricardo Carvalho *Sent:* Monday, February 28, 2011 6:31 AM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* Re: [asterisk-users

Re: [asterisk-users] asterisk security....again

-users] asterisk securityagain Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through

Re: [asterisk-users] asterisk security....again

On 02/28/2011 07:27 AM, Rizwan Hisham wrote: Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. You cannot protect a remote

Re: [asterisk-users] asterisk security....again

Thanks Mr. Kevin. Can anyone please also tell me which firewall is best suited for asterisk/sip attack prevention. Is there any firewall built specially to address sip security problems? On Mon, Feb 28, 2011 at 6:38 PM, Kevin P. Fleming kpflem...@digium.comwrote: On 02/28/2011 07:27 AM, Rizwan

Re: [asterisk-users] asterisk security....again

http://sipera.com/ is one such product. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Rizwan Hisham Sent: Monday, February 28, 2011 9:33 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users

Re: [asterisk-users] asterisk security....again

...@computer-business.com To: asterisk-users@lists.digium.com Date: Mon, 28 Feb 2011 10:27:33 -0500 Subject: Re: [asterisk-users] asterisk securityagain http://sipera.com/ is one such product. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf

[asterisk-users] Asterisk Security Releases: AST-2011-001

The Asterisk Development Team has announced security releases for the following versions of Asterisk: * 1.4.38.1 * 1.4.39.1 * 1.6.1.21 * 1.6.2.15.1 * 1.6.2.16.1 * 1.8.1.2 * 1.8.2.1 These releases are available for immediate download at

Re: [asterisk-users] Asterisk Security

Users Mailing List - Non-Commercial Discussion Betreff: Re: [asterisk-users] Asterisk Security If that someone is between you and the other endpoint (like between you and the switch, or using port-mirroring on a router somewhere), then yes. The conversations can be recorded. In the US, the ability

Re: [asterisk-users] Asterisk Security

-boun...@lists.digium.com] On Behalf Of Martin Sent: Saturday, April 04, 2009 7:20 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk Security Lets not be that paranoid. If you have these ports open to the internet then from time to time someone

[asterisk-users] Asterisk Security

Hi All, Coming in to day, the logs on the asterisk server showed several entries such as: [Apr 4 15:25:16] NOTICE[9280]: chan_sip.c:14627 handle_request_invite: Call from '' to extension '9810380487965419' rejected because extension not found. This has gotten me to thinking about security

Re: [asterisk-users] Asterisk Security

Lets not be that paranoid. If you have these ports open to the internet then from time to time someone will check if your default unsecured context can dial out to PSTN... with sip.conf you can add allowguest=no With IAX2 there's no allowguest but I believe you have to have a guest username in

Re: [asterisk-users] Asterisk Security

...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Martin Sent: Saturday, April 04, 2009 7:20 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Asterisk Security Lets not be that paranoid. If you have these ports open to the internet

[asterisk-users] Asterisk security between two servers

Hi, I recently found someone was using one of my Asterisk servers to make international calls via some SIP method that allowed them to bypass authentication (running 1.4.21.1 so I'm not sure how they did this since the major vulnerability for this was patched in 1.4.18.1). At any rate I caught it

[Asterisk-Users] asterisk security issue

http://archives.neohapsis.com/archives/fulldisclosure/2005-06/0297.html ___ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit:

[Asterisk-Users] asterisk security

Hello, I would like to have some advices about security, securing asterisk server Already : - configured asterisk to run as non-root user (http://www.voip-info.org/tiki-index.php?page=Asterisk+non-root) - fw config

Re: [Asterisk-Users] asterisk security

I would like to have some advices about security, securing asterisk server Already : - configured asterisk to run as non-root user (http://www.voip-info.org/tiki-index.php?page=Asterisk+non-root) - fw config

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

On Mon, March 14, 2005 17:06, Andres said: You might want to try the steps provided above yourself Peter. Because even if we have a context that leads to never never land at the top of sip.conf, I am still able to make free calls. A sip debug clearly Welcome to the wonderful world of

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

On Tue, 15 Mar 2005 02:03:54 +1100 (EST), Duane [EMAIL PROTECTED] wrote: On Mon, March 14, 2005 17:06, Andres said: You might want to try the steps provided above yourself Peter. Because even if we have a context that leads to never never land at the top of sip.conf, I am still able to

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Deti Fliegl wrote: Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and secret can fake any callerid in subsequent INVITEs. Asterisk does not apply an accountcode or

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

On Mon, 14 Mar 2005 00:27:12 -0500, Andres [EMAIL PROTECTED] wrote: Deti Fliegl wrote: Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and secret can fake

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Peter Bowyer wrote: On Mon, 14 Mar 2005 00:27:12 -0500, Andres [EMAIL PROTECTED] wrote: Deti Fliegl wrote: Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

On Fri, 11 Mar 2005 14:41:37 -0500, C F [EMAIL PROTECTED] wrote: Welcome to SIP, this is how SIP works, thats why ppl use IAX. It is a combination of chan_sip and the particular sip.conf actually. Sane SIP servers will challenge all INVITEs, and apply user identification from the user

[Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and secret can fake any callerid in subsequent INVITEs. Asterisk does not apply an accountcode or callerid from sip.conf.

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Deti Fliegl wrote: Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and secret can fake any callerid in subsequent INVITEs. Asterisk does not apply an accountcode or

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Welcome to SIP, this is how SIP works, thats why ppl use IAX. On Fri, 11 Mar 2005 19:06:20 +0100, Deti Fliegl [EMAIL PROTECTED] wrote: Hi there, all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular

[Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

On Fri, Mar 11, 2005 at 01:13:25PM -0600, [EMAIL PROTECTED] wrote: all that started by investigating what happens if SIP clients are calling anonymously. The problem: Every client who is registered as a regular user with username and secret can fake any callerid in subsequent INVITEs.

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

C F wrote: Welcome to SIP, this is how SIP works, thats why ppl use IAX. Welcome to SIP for dummies: You have to distinguish between SIP callerid and authentication. First a callerid is used to call another party or to identify yourself to another party. Such a callerid is sent via a

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

This is a preliminary fix for the exploit identified in my last postings. By far it would be better to fix the find_user call to look for both, the From-header and an username in the Proxy-Authorization-header. We even should set a environment variable (which can be used for dialplans) to

Re: [Asterisk-Users] Asterisk security problem: authorized SIP users can fake any callerid!

Deti Fliegl wrote: This is a preliminary fix for the exploit identified in my last postings. By far it would be better to fix the find_user call to look for both, the From-header and an username in the Proxy-Authorization-header. We even should set a environment variable (which can be used for

[Asterisk-Users] Asterisk Security Audit?

Has Asterisk ever been audited for common security holes, such as buffer overruns? A quick grep through the source for routines that should never be used, like strcpy, strcat, etc., reveals a lot of it. I fear I fear. Has anyone flung pathology at IAX2 to see if it stands up to malformed

RE: [Asterisk-Users] Asterisk Security Audit?

PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Rosenberg Sent: Tuesday, March 30, 2004 2:53 PM To: [EMAIL PROTECTED] Subject: [Asterisk-Users] Asterisk Security Audit? Has Asterisk ever been audited for common security holes, such as buffer overruns? A quick grep through the source for routines

Re: [Asterisk-Users] Asterisk Security Audit?

On Tue, 2004-03-30 at 16:53, Jim Rosenberg wrote: Has Asterisk ever been audited for common security holes, such as buffer overruns? A quick grep through the source for routines that should never be used, like strcpy, strcat, etc., reveals a lot of it. I fear I fear. These functions aren't

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wed, 2003-09-10 at 21:06, Tilghman Lesher wrote: Odd, I've found CVS-current to be extremely stable, so I run it on all of our production machines. No machine is ever more than a couple weeks out of sync with CVS (except for a few machines in the field which I can't get to right now). The

Re: [Asterisk-Users] Asterisk Security vulnerability report

What do you think a segfault is, eh? Please learn the basics before commenting on this. As the advisory clearly points out, you can fully overwrite the saved return address. Depending on the system you use (by default on Linux/FreeBSD all are possible) you can either alter the execution

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wed, 2003-09-10 at 22:06, Tilghman Lesher wrote: On Wednesday 10 September 2003 14:32, Chris Albertson wrote: Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are you running CVS at all? One

Re: [Asterisk-Users] Asterisk Security vulnerability report

If one is using SIP the CVS-current can be extremely unstable. I would say about half the time I have tried a new CVS checkout on a test box. (about once a week) I have had lockups or missing features. I like Asterisk and CVS but with out testing in a semi large environment the cvs -current is

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wed, 2003-09-10 at 10:51, Olle E. Johansson wrote: Lubomir Christov wrote: today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Important information. Why a silent patch and no information to the mailing list?

Re: [Asterisk-Users] Asterisk Security vulnerability report

Steven Critchfield wrote: I've added a security page to the Wiki: http://www.voip-info.org/tiki-index.php?page=Asterisk+security Maybe there should also be a link for best practices with respect to dial plan layout. I guess since this is my second comment on the wiki, I should log in and

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote: Lubomir Christov wrote: today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Important information. Why a silent patch and no information to the

Re: [Asterisk-Users] Asterisk Security vulnerability report

Tilghman Lesher wrote: On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote: Lubomir Christov wrote: today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Important information. Why a silent patch and no

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wednesday 10 September 2003 01:04 pm, Olle E. Johansson wrote: Tilghman Lesher wrote: On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote: Lubomir Christov wrote: today I found this security report regarding Asterisk SIP Security.

Re: [Asterisk-Users] Asterisk Security vulnerability report

Also it wasn't a proven exploit. They said it could allow an attacker to obtain remote and unauthenticated access. And if pigs could fly I would be a rich man! bkw Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wed, 2003-09-10 at 13:16, Tilghman Lesher wrote: On Wednesday 10 September 2003 01:04 pm, Olle E. Johansson wrote: Tilghman Lesher wrote: On Wednesday 10 September 2003 10:51 am, Olle E. Johansson wrote: Lubomir Christov wrote: today I found this security report regarding Asterisk SIP

Re: [Asterisk-Users] Asterisk Security vulnerability report

At 11:37 -0500 10/9/03, Tilghman Lesher wrote: Probably because Mark doesn't have time to realize that somebody is going to publish a temporary vulnerability that he fixes in 5 minutes. When someone points out a bug in my own programs, I'll go fix it, but I don't usually then publish a

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wed, 10 Sep 2003, Fearghas McKay wrote: It has certainly caused some fervent checking amongst users I know, and since the last release was some months ago if the vulnerability was present then there will be users who have had to move from taking a stable build to building from CVS, which

Re: [Asterisk-Users] Asterisk Security vulnerability report

At 13:16 -0500 10/9/03, Tilghman Lesher wrote: Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are you running CVS at all? The security advisory merely says update using CVS to a date later than Aug 15. It does not

Re: [Asterisk-Users] Asterisk Security vulnerability report

Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are you running CVS at all? One would hope people are not using the latest CVS checkup as their production system. Most sane people do a bit better quality control and

Re: [Asterisk-Users] Asterisk Security vulnerability report

'proven'? Why post this bs... read the advisory, clearly shows they made one and tested. Second its trivial to make one, if you see what is wrong in the code. Original advisory should have been posted here at the date of release, or announced by someone, but it wasn't... I guess some people

Re: [Asterisk-Users] Asterisk Security vulnerability report

Because as the advisory pointed out it could happen. The likely thing to happen would be a segfault. Then again it should have been pointed out instead of silently updated. bkw On Wed, 10 Sep 2003, Michael Sandee wrote: 'proven'? Why post this bs... read the advisory, clearly shows they made

Re: [Asterisk-Users] Asterisk Security vulnerability report

[EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 3:32 PM Subject: Re: [Asterisk-Users] Asterisk Security vulnerability report Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are you running

Re: [Asterisk-Users] Asterisk Security vulnerability report

By exploiting this vulnerability, @stake managed to obtain access to the remote host in question. - Original Message - From: Brian West [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 11, 2003 10:16 AM Subject: Re: [Asterisk-Users] Asterisk Security vulnerability

Re: [Asterisk-Users] Asterisk Security vulnerability report

On Wednesday 10 September 2003 14:32, Chris Albertson wrote: Read the security vulnerability. It referenced CVS as of a certain date. If you aren't keeping up with CVS changes, why are you running CVS at all? One would hope people are not using the latest CVS checkup as

Re: [Asterisk-Users] Asterisk Security vulnerability report

What I do is periodically is a recursive grep of all my source code for strcat() and the like. In EVERY case, there is NO reason to use strcat() and it should be replaced with either strlcat() or strncat() same for sprintf, strcpy and so on. The l versions should be prefreed over the n versions

Re: [Asterisk-Users] Asterisk Security vulnerability report

: [Asterisk-Users] Asterisk Security vulnerability report Hello, today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Maybe It could help somebody who isn't using a newer than 15th of August cvs version. Best regards Lubo

Re: [Asterisk-Users] Asterisk Security vulnerability report

Christov [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, September 09, 2003 3:54 PM Subject: [Asterisk-Users] Asterisk Security vulnerability report Hello, today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com

[Asterisk-Users] Asterisk Security vulnerability report

Hello, today I found this security report regarding Asterisk SIP Security. http://www.securiteam.com/securitynews/5LP0720B5G.html Maybe It could help somebody who isn't using a newer than 15th of August cvs version. Best regards Lubo ___