[asterisk-users] asterisk security....again
Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
On 28 Feb 2011, at 10:33, Rizwan Hisham wrote: The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. 'asterisk security' is a misleading subject line. Guessing someone just scanned some IP addresses and made calls. You need what's called a 'firewall'. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? It's hard to sniff without being on a network. Most likely they brute forced something?.. Get a firewall, and something to look for brute force attacks. S-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
On Monday 28 Feb 2011, Steven Howes wrote: 'asterisk security' is a misleading subject line. Guessing someone just scanned some IP addresses and made calls. You need what's called a 'firewall'. Well, assuming you're on Linux then you've already *got* a firewall. Just add some iptables rules to admit only traffic from places it should be coming from. This is a separate subject in its own right. There are various GUI front ends available for configuring iptables, if you prefer. On 28 Feb 2011, at 10:33, Rizwan Hisham wrote: My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? It's hard to sniff without being on a network. Most likely they brute forced something?.. Get a firewall, and something to look for brute force attacks. Agreed; packet-sniffing would most probably have to have been an inside job, as packets not meant to leave your network don't -- *unless* you've got a wireless network, in which case they go everywhere the radio waves will take them. Your wireless AP ought to have its own iptables (yes, iptables: most of them run Linux) rules that you can configure through its web page, so as not to let anything telephonical go over wi-fi. -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. Regards, Ricardo Carvalho. On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham rizwanhas...@gmail.comwrote: Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
thanks for the replies. I dont want to rule-out the possibility of network sniffing. I am sure its not an inside job. The server is off-site and is hosted by a very well reputed hosting company. So if someone is sniffing, what should I do? Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. I have tested sipvicious against my asterisk server already, its been secured that way. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. I will talk to my network admin about this. I dont have any wireless network interface to our server. And I am going to apply that IP table thing to the server. Any more suggestions please? On Mon, Feb 28, 2011 at 4:31 PM, Ricardo Carvalho rjcarvalho.li...@gmail.com wrote: Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. Regards, Ricardo Carvalho. On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham rizwanhas...@gmail.comwrote: Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
When he says customers I am assuming he means remote customers. It sounds like he is a reseller of telecom facilities to me. Which means his customers most likely have ATA's with port 5060 forwarded to the ATA, or they are direct on the I'net. He has already set the ATA to only allow calls from the proxy server, so sounds like he has plugged the hole. They are not 'sniffing' your traffic, they are guessing/scanning. That's it, that's all, no great conspiracy going on. They look for open 5060, then send SIP requests to it hopefully finding a badly implemented SIP solution to which they can dial through. Once they determine they cannot get through, the script will move on to the next sucker. You have a couple of options, which you could implement at *each* of your customers if you wanted. Set up a VPN, tunnel the SIP/RTP traffic through it. Set up IPTables at the customer to only allow SIP from your IP. Or, do what you have already done and forget about these idiots doing the scan, they are harmless at this point. Vlans and DMZ for the server do no good as the attacks are being directed at the remote client side, not the server. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Ricardo Carvalho Sent: Monday, February 28, 2011 6:31 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk securityagain Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. Regards, Ricardo Carvalho. On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham rizwanhas...@gmail.com wrote: Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com http://www.axvoice.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
You are right Terry. Sorry i did not describe full scenario before. Yes the users are remote with atas on port 5060. Attacks on the remote customers was my second guess. My network/system admin has already ruled out the implementation of VPN. In summary, we dont want to do anything on remote customer side. All kind of security and attck prevention techniques have to be implemented on the server. Its comforting to hear someone say they are harmless. But still i would like to know their next step of attack after guessing/scanning. Or is it the only step? On Mon, Feb 28, 2011 at 5:32 PM, Terry Brummell te...@brummell.net wrote: When he says “customers” I am assuming he means remote customers. It sounds like he is a reseller of telecom facilities to me. Which means his customers most likely have ATA’s with port 5060 forwarded to the ATA, or they are direct on the I’net. He has already set the ATA to only allow calls from the proxy server, so sounds like he has plugged the hole. They are not ‘sniffing’ your traffic, they are guessing/scanning. That’s it, that’s all, no great conspiracy going on. They look for open 5060, then send SIP requests to it hopefully finding a badly implemented SIP solution to which they can dial through. Once they determine they cannot get through, the script will move on to the next sucker. You have a couple of options, which you could implement at **each** of your customers if you wanted. Set up a VPN, tunnel the SIP/RTP traffic through it. Set up IPTables at the customer to only allow SIP from your IP. Or, do what you have already done and forget about these idiots doing the scan, they are harmless at this point. Vlans and DMZ for the server do no good as the attacks are being directed at the remote client side, not the server. *From:* asterisk-users-boun...@lists.digium.com [mailto: asterisk-users-boun...@lists.digium.com] *On Behalf Of *Ricardo Carvalho *Sent:* Monday, February 28, 2011 6:31 AM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* Re: [asterisk-users] asterisk securityagain Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. Regards, Ricardo Carvalho. On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham rizwanhas...@gmail.com wrote: Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com
Re: [asterisk-users] asterisk security....again
Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. On Mon, Feb 28, 2011 at 6:13 PM, Rizwan Hisham rizwanhas...@gmail.comwrote: You are right Terry. Sorry i did not describe full scenario before. Yes the users are remote with atas on port 5060. Attacks on the remote customers was my second guess. My network/system admin has already ruled out the implementation of VPN. In summary, we dont want to do anything on remote customer side. All kind of security and attck prevention techniques have to be implemented on the server. Its comforting to hear someone say they are harmless. But still i would like to know their next step of attack after guessing/scanning. Or is it the only step? On Mon, Feb 28, 2011 at 5:32 PM, Terry Brummell te...@brummell.netwrote: When he says “customers” I am assuming he means remote customers. It sounds like he is a reseller of telecom facilities to me. Which means his customers most likely have ATA’s with port 5060 forwarded to the ATA, or they are direct on the I’net. He has already set the ATA to only allow calls from the proxy server, so sounds like he has plugged the hole. They are not ‘sniffing’ your traffic, they are guessing/scanning. That’s it, that’s all, no great conspiracy going on. They look for open 5060, then send SIP requests to it hopefully finding a badly implemented SIP solution to which they can dial through. Once they determine they cannot get through, the script will move on to the next sucker. You have a couple of options, which you could implement at **each** of your customers if you wanted. Set up a VPN, tunnel the SIP/RTP traffic through it. Set up IPTables at the customer to only allow SIP from your IP. Or, do what you have already done and forget about these idiots doing the scan, they are harmless at this point. Vlans and DMZ for the server do no good as the attacks are being directed at the remote client side, not the server. *From:* asterisk-users-boun...@lists.digium.com [mailto: asterisk-users-boun...@lists.digium.com] *On Behalf Of *Ricardo Carvalho *Sent:* Monday, February 28, 2011 6:31 AM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* Re: [asterisk-users] asterisk securityagain Probably, you are receiving INVITE attacks from some tool like sipvicious. You should rearange your network to cover some inportant security issues. The IP address of you server can be revealed in some unincrypted SIP signaling of some call through the Internet to/from your server's client, or simply by your client SRV record in the DNS, if you added it to his DNS. Probably your network is exposed to the Internet. To address those situations, you can use a distinct VLAN to address SIP phones and you also can use port security at the switching ports where you connect your ATAs and phones. You should also deliver with tagging (802.1Q) that VLAN to those ATAs and phones. This should protect you from inside sniffers. This VLAN should just communicate with the DMZ where you should have your asterisk server and between those two networks you should only open the needed ports - for a common SIP infrastructure you should open UDP 5060 and the specified UDP range shown in rtp.conf file for the media to pass. Phones VLAN should not communicate directlly with the world, just in the outbound direction if you like. Regards, Ricardo Carvalho. On Mon, Feb 28, 2011 at 10:33 AM, Rizwan Hisham rizwanhas...@gmail.com wrote: Hi all, The problem I have been experiencing since last month is that some of my customers are getting calls with Asterisk Unknown caller id. Most of them in the middle of the night. And my asterisk server has no record of these calls. The customers were getting irritated as you can imagine. I guessed the only way to receive incoming calls by by-passing the registration server is thru sip-uri calls directly to customers. I have updated the customers atas to not accept any calls from sources other than the registration server. Thats all fine now. But the question is how can anyone know the direct sip uri addresses of our customers. My guess is that someone has been sniffing my server's sip traffic. In that case what should i do to get rid of the sniffers? If you think there is another reason for that then please tell me even if you dont have the solution. Thanks -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http
Re: [asterisk-users] asterisk security....again
On 02/28/2011 07:27 AM, Rizwan Hisham wrote: Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. You cannot protect a remote SIP endpoint from attacks via your server; that SIP endpoint is an endpoint itself, and if it can receive IP packets from attackers, it will process them. These packets don't go through your server, and encrypting the legitimate traffic between your server and the remote endpoint isn't going to make any difference at all. The *only* way to address attacks like this is to modify the configuration of the remote endpoint to ignore all incoming packets that aren't from your server(s). Even that is not a perfect solution, though, because the attacker (if they are actually aware of your server and customers) can spoof the IP addresses of your server(s) in order to get the remote endpoints to at least accept an INVITE (they can't place a successful call through them using spoofing though). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kflem...@digium.com Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
Thanks Mr. Kevin. Can anyone please also tell me which firewall is best suited for asterisk/sip attack prevention. Is there any firewall built specially to address sip security problems? On Mon, Feb 28, 2011 at 6:38 PM, Kevin P. Fleming kpflem...@digium.comwrote: On 02/28/2011 07:27 AM, Rizwan Hisham wrote: Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. You cannot protect a remote SIP endpoint from attacks via your server; that SIP endpoint is an endpoint itself, and if it can receive IP packets from attackers, it will process them. These packets don't go through your server, and encrypting the legitimate traffic between your server and the remote endpoint isn't going to make any difference at all. The *only* way to address attacks like this is to modify the configuration of the remote endpoint to ignore all incoming packets that aren't from your server(s). Even that is not a perfect solution, though, because the attacker (if they are actually aware of your server and customers) can spoof the IP addresses of your server(s) in order to get the remote endpoints to at least accept an INVITE (they can't place a successful call through them using spoofing though). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kflem...@digium.com Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.com W: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
http://sipera.com/ is one such product. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Rizwan Hisham Sent: Monday, February 28, 2011 9:33 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk securityagain Thanks Mr. Kevin. Can anyone please also tell me which firewall is best suited for asterisk/sip attack prevention. Is there any firewall built specially to address sip security problems? On Mon, Feb 28, 2011 at 6:38 PM, Kevin P. Fleming kpflem...@digium.commailto:kpflem...@digium.com wrote: On 02/28/2011 07:27 AM, Rizwan Hisham wrote: Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. You cannot protect a remote SIP endpoint from attacks via your server; that SIP endpoint is an endpoint itself, and if it can receive IP packets from attackers, it will process them. These packets don't go through your server, and encrypting the legitimate traffic between your server and the remote endpoint isn't going to make any difference at all. The *only* way to address attacks like this is to modify the configuration of the remote endpoint to ignore all incoming packets that aren't from your server(s). Even that is not a perfect solution, though, because the attacker (if they are actually aware of your server and customers) can spoof the IP addresses of your server(s) in order to get the remote endpoints to at least accept an INVITE (they can't place a successful call through them using spoofing though). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kflem...@digium.commailto:kflem...@digium.com Check us out at www.digium.comhttp://www.digium.com www.asterisk.orghttp://www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Best Ragards Rizwan Qureshi VoIP/Asterisk Engineer Axvoice Inc. V: +92 (0) 6767 26 E: rizwanhas...@gmail.commailto:rizwanhas...@gmail.com W: www.axvoice.comhttp://www.axvoice.com/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] asterisk security....again
It could be possible they are not scanning your asterisk server. They are just scanning 5060 and in this case your ATA caught by scan directly that why you don't have any logs on server side. Don't you have any setting in ATA to specify allowed IP address ? -Satish From: jstaple...@computer-business.com To: asterisk-users@lists.digium.com Date: Mon, 28 Feb 2011 10:27:33 -0500 Subject: Re: [asterisk-users] asterisk securityagain http://sipera.com/ is one such product. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Rizwan Hisham Sent: Monday, February 28, 2011 9:33 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] asterisk securityagain Thanks Mr. Kevin. Can anyone please also tell me which firewall is best suited for asterisk/sip attack prevention. Is there any firewall built specially to address sip security problems?On Mon, Feb 28, 2011 at 6:38 PM, Kevin P. Fleming kpflem...@digium.com wrote:On 02/28/2011 07:27 AM, Rizwan Hisham wrote:Any suggestions on encrypting the sip and rtp. I have done some googling on it. looks like it is not supported by most end point devices or service providers. But still your thoughts will be appreciated on this subject. You cannot protect a remote SIP endpoint from attacks via your server; that SIP endpoint is an endpoint itself, and if it can receive IP packets from attackers, it will process them. These packets don't go through your server, and encrypting the legitimate traffic between your server and the remote endpoint isn't going to make any difference at all. The *only* way to address attacks like this is to modify the configuration of the remote endpoint to ignore all incoming packets that aren't from your server(s). Even that is not a perfect solution, though, because the attacker (if they are actually aware of your server and customers) can spoof the IP addresses of your server(s) in order to get the remote endpoints to at least accept an INVITE (they can't place a successful call through them using spoofing though). -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA skype: kpfleming | jabber: kflem...@digium.com Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Best RagardsRizwan QureshiVoIP/Asterisk EngineerAxvoice Inc.V: +92 (0) 6767 26E: rizwanhas...@gmail.comw: www.axvoice.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
