I beg to differ. Digium is hiding from the real world and somebody is going take the software and run with it. My customers lost in excess of $50.000 and cut my pay in half, because of hackers. The hackers figured out how to scan every asterisk for weak passwords or open ports, and bang them real good. We need two things: a) disable in sip.conf the reply for INVITES that have wrong user information, and also, b) disable any response to any REGISTER packet altogether. Can somebody please write patch? Or should we go broke trying to stop the flood of criminals coming from abroad? Federico On Sat, Jul 23, 2011 at 1:00 PM, <asterisk-users-request at lists.digium.com> wrote:> Send asterisk-users mailing list submissions to > ? ? ? ?asterisk-users at lists.digium.com > > To subscribe or unsubscribe via the World Wide Web, visit > ? ? ? ?http://lists.digium.com/mailman/listinfo/asterisk-users > or, via email, send a message with subject or body 'help' to > ? ? ? ?asterisk-users-request at lists.digium.com > > You can reach the person managing the list at > ? ? ? ?asterisk-users-owner at lists.digium.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of asterisk-users digest..." > > > Today's Topics: > > ? 1. Re: use dahdi for local terminal modem access? (Lyle Giese) > ? 2. dialplan pattern help (Armand Fumal) > ? 3. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 > ? ? ?Declined" (Patrick Lists) > ? 4. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 > ? ? ?Declined" (Paul Belanger) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 23 Jul 2011 09:29:26 -0500 > From: Lyle Giese <lyle at lcrcomputer.net> > Subject: Re: [asterisk-users] use dahdi for local terminal modem > ? ? ? ?access? > To: asterisk-users at lists.digium.com > Message-ID: <4E2ADAC6.4010101 at lcrcomputer.net> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > On 07/22/11 22:47, William Stillwell wrote: >> Um, no VOIP involved here. > > Wrong. ?What do you think Asterisk is? ?Chopped meat? ?It's a VoIP > switch. ?All traffic inside Asterisk is VoIP. > >> >> I have an asterisk server with 2 23B+D PRI's >> >> I want to telnet/ssh into the asterisk server, and make an outbound call >> serial based modem/terminal connection (Like the 80/90's BBS Days). >> >> No TCP/IP or PPP or crazyness >> >> (ie, dialing into a Modem set to AA hooked to a Cisco Console Port) >> >> >> >>> -----Original Message----- >>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users- >>> bounces at lists.digium.com] On Behalf Of Lyle Giese >>> Sent: Friday, July 22, 2011 8:07 PM >>> To: asterisk-users at lists.digium.com >>> Subject: Re: [asterisk-users] use dahdi for local terminal modem >>> access? >>> >>> On 07/22/11 18:13, William Stillwell wrote: >>>> I have some terminals that have phone lines. >>>> >>>> One of my tech had an idea of using IAXmodem or something similar to >>> use >>>> existing PRI/DAHDI Trucks for dial out via the asterisk/Linux >>> console. >>>> >>>> Anybody ever heard of doing this? >>>> >>>> I would think maybe would use iaxmodem maybe and a shell terminal >>> app? >>>> >>>> (basically I'm dialing into a remote access device that uses a pots >>> like >>>> for remote administration, and don't want to string a channel bank >>> off >>>> my asterisk box, and a hook to a modem) >>>> >>>> >>>> >>>> -- >>> >>> Depends on your expectation. ?Because of compression in the codecs, it >>> will be hard to get fast dialup. ?If you mean ssh or telnet, it might >>> work. ?If you mean vnc or RDP over this, you may not get enough usable >>> bandwidth to do that. >>> >>> Given this, I have in an emergency dialed into a RAS server via a VoIP >>> line. My laptop connected at 14,400bps. ?All I needed to do was telnet >>> into an APC masterswitch to toggle power on one outlet. ?It worked. >>> >>> I was surprised at getting a 14,400bps connect. ?I was not expecting >>> that high and really did not need that high. ?300 baud probably would >>> have been fast enough to telnet into an APC masterswitch. >>> >>> Lyle Giese >>> LCR Computer Services, Inc. >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> ? ? ? ? ? ? ? ? http://www.asterisk.org/hello >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> ? ? http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> New to Asterisk? Join us for a live introductory webinar every Thurs: >> ? ? ? ? ? ? ? ? http://www.asterisk.org/hello >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> ? ? http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > ------------------------------ > > Message: 2 > Date: Sat, 23 Jul 2011 14:30:42 +0000 > From: Armand Fumal <af at cybernet.lu> > Subject: [asterisk-users] dialplan pattern help > To: "asterisk-users at lists.digium.com" > ? ? ? ?<asterisk-users at lists.digium.com> > Message-ID: > ? ? ? ?<2584E1ABC3629C4D85A61B8DC4D27297096F1432 at EXCHANGELU.lu.cybernet.local> > > Content-Type: text/plain; charset="us-ascii" > > Hi all, > > I need help for make a pattern for a special case that i can't find the solution. > > In my case I want to match these in one pattern: > > This is the same ext that can come in 4 cases > > exten => _42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ; case with 42704701 > exten => _X42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ? ? ? ?; case with 042704701 > exten => _XXXX42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ; case with +3242704701 > exten => _XXX42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ? ? ?; case with 3242704701 > > I have try _.42704701 but the parser stop to check after the point "." ? ?:-( > > So did you have any suggestion ? > > Regards > > Armand Fumal > > > > > ------------------------------ > > Message: 3 > Date: Sat, 23 Jul 2011 17:48:44 +0200 > From: Patrick Lists <asterisk-list at puzzled.xs4all.nl> > Subject: Re: [asterisk-users] Securing Asterisk - How to avoid > ? ? ? ?sending, "SIP/2.0 603 Declined" > To: Asterisk Users Mailing List - Non-Commercial Discussion > ? ? ? ?<asterisk-users at lists.digium.com> > Message-ID: <4E2AED5C.9080901 at puzzled.xs4all.nl> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 07/23/2011 04:00 PM, Paul Belanger wrote: >> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >> (Not Acceptable Here) response. Such a response SHOULD include a >> Warning header field value explaining why the offer was rejected. > > If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC > created by people who had no appreciation for the rather ugly world out > there then why not throw the RFC out of the window and *not* reject an > invite with a 488? It sounds like an interesting option to add to > "10"/trunk. Better secure than compliant & sorry. Why not do a little > Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their > interpretation of SIP. > > Regards, > Patrick > > > > ------------------------------ > > Message: 4 > Date: Sat, 23 Jul 2011 12:07:49 -0400 > From: Paul Belanger <pabelanger at digium.com> > Subject: Re: [asterisk-users] Securing Asterisk - How to avoid > ? ? ? ?sending, "SIP/2.0 603 Declined" > To: asterisk-users at lists.digium.com > Message-ID: <4E2AF1D5.80305 at digium.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 11-07-23 11:48 AM, Patrick Lists wrote: >> On 07/23/2011 04:00 PM, Paul Belanger wrote: >>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >>> (Not Acceptable Here) response. Such a response SHOULD include a >>> Warning header field value explaining why the offer was rejected. >> >> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC >> created by people who had no appreciation for the rather ugly world out >> there then why not throw the RFC out of the window and *not* reject an >> invite with a 488? It sounds like an interesting option to add to >> "10"/trunk. Better secure than compliant & sorry. Why not do a little >> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their >> interpretation of SIP. >> > Personally, I don't see this as a solutions. ?SIP already provides some > ability to help with security (EG: TLS, SRTP) however that is basically > the extent of it. > > The way I see it, it is outside the scope of SIP; it's a signaling > protocol. If 'security' is really something you want to establish, many > existing tools are available to handle this (EG: VPN, firewalls, > encryption, etc). > > As previously mentioned, there is no easy, simple solution. Securing > ones services takes work (and time) to do it right. ?Most people don't > want to spend the effort monitoring it. > > -- > Paul Belanger > Digium, Inc. | Software Developer > twitter: pabelanger | IRC: pabelanger (Freenode) > Check us out at: http://digium.com & http://asterisk.org > > > > ------------------------------ > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > AstriCon 2010 - October 26-28 Washington, DC > Register Now: http://www.astricon.net/ > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users > > End of asterisk-users Digest, Vol 84, Issue 44 > ********************************************** >
Why not firewall hack attempts after 3 tries? When we started doing that the quantity of hacking attempts dropped right off. We also setup our own fail2ban sharing server so that we could share the bans across multiple servers. Have a look at http://www.f2bshare.org/index.php?title=Main_Page if you want to do something similar. Why try to make Asterisk into something it's not intended to be? Just use your firewall for what it's good at. -- Darren Wiebe On 7/23/11 11:38 AM, CDR wrote:> I beg to differ. Digium is hiding from the real world and somebody is > going take the software and run with it. My customers lost in excess > of $50.000 and cut my pay in half, because of hackers. The hackers > figured out how to scan every asterisk for weak passwords or open > ports, and bang them real good. We need two things: a) disable in > sip.conf the reply for INVITES that have wrong user information, and > also, b) disable any response to any REGISTER packet altogether. Can > somebody please write patch? Or should we go broke trying to stop the > flood of criminals coming from abroad? > Federico > > On Sat, Jul 23, 2011 at 1:00 PM, > <asterisk-users-request at lists.digium.com> wrote: >> Send asterisk-users mailing list submissions to >> asterisk-users at lists.digium.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://lists.digium.com/mailman/listinfo/asterisk-users >> or, via email, send a message with subject or body 'help' to >> asterisk-users-request at lists.digium.com >> >> You can reach the person managing the list at >> asterisk-users-owner at lists.digium.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of asterisk-users digest..." >> >> >> Today's Topics: >> >> 1. Re: use dahdi for local terminal modem access? (Lyle Giese) >> 2. dialplan pattern help (Armand Fumal) >> 3. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 >> Declined" (Patrick Lists) >> 4. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 >> Declined" (Paul Belanger) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 23 Jul 2011 09:29:26 -0500 >> From: Lyle Giese<lyle at lcrcomputer.net> >> Subject: Re: [asterisk-users] use dahdi for local terminal modem >> access? >> To: asterisk-users at lists.digium.com >> Message-ID:<4E2ADAC6.4010101 at lcrcomputer.net> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> >> On 07/22/11 22:47, William Stillwell wrote: >>> Um, no VOIP involved here. >> Wrong. What do you think Asterisk is? Chopped meat? It's a VoIP >> switch. All traffic inside Asterisk is VoIP. >> >>> I have an asterisk server with 2 23B+D PRI's >>> >>> I want to telnet/ssh into the asterisk server, and make an outbound call >>> serial based modem/terminal connection (Like the 80/90's BBS Days). >>> >>> No TCP/IP or PPP or crazyness >>> >>> (ie, dialing into a Modem set to AA hooked to a Cisco Console Port) >>> >>> >>> >>>> -----Original Message----- >>>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users- >>>> bounces at lists.digium.com] On Behalf Of Lyle Giese >>>> Sent: Friday, July 22, 2011 8:07 PM >>>> To: asterisk-users at lists.digium.com >>>> Subject: Re: [asterisk-users] use dahdi for local terminal modem >>>> access? >>>> >>>> On 07/22/11 18:13, William Stillwell wrote: >>>>> I have some terminals that have phone lines. >>>>> >>>>> One of my tech had an idea of using IAXmodem or something similar to >>>> use >>>>> existing PRI/DAHDI Trucks for dial out via the asterisk/Linux >>>> console. >>>>> Anybody ever heard of doing this? >>>>> >>>>> I would think maybe would use iaxmodem maybe and a shell terminal >>>> app? >>>>> (basically I'm dialing into a remote access device that uses a pots >>>> like >>>>> for remote administration, and don't want to string a channel bank >>>> off >>>>> my asterisk box, and a hook to a modem) >>>>> >>>>> >>>>> >>>>> -- >>>> Depends on your expectation. Because of compression in the codecs, it >>>> will be hard to get fast dialup. If you mean ssh or telnet, it might >>>> work. If you mean vnc or RDP over this, you may not get enough usable >>>> bandwidth to do that. >>>> >>>> Given this, I have in an emergency dialed into a RAS server via a VoIP >>>> line. My laptop connected at 14,400bps. All I needed to do was telnet >>>> into an APC masterswitch to toggle power on one outlet. It worked. >>>> >>>> I was surprised at getting a 14,400bps connect. I was not expecting >>>> that high and really did not need that high. 300 baud probably would >>>> have been fast enough to telnet into an APC masterswitch. >>>> >>>> Lyle Giese >>>> LCR Computer Services, Inc. >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>>> http://www.asterisk.org/hello >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> http://lists.digium.com/mailman/listinfo/asterisk-users >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> http://www.asterisk.org/hello >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Sat, 23 Jul 2011 14:30:42 +0000 >> From: Armand Fumal<af at cybernet.lu> >> Subject: [asterisk-users] dialplan pattern help >> To: "asterisk-users at lists.digium.com" >> <asterisk-users at lists.digium.com> >> Message-ID: >> <2584E1ABC3629C4D85A61B8DC4D27297096F1432 at EXCHANGELU.lu.cybernet.local> >> >> Content-Type: text/plain; charset="us-ascii" >> >> Hi all, >> >> I need help for make a pattern for a special case that i can't find the solution. >> >> In my case I want to match these in one pattern: >> >> This is the same ext that can come in 4 cases >> >> exten => _42704701,1,Macro(dialfax,${EXTEN:-8}) ; case with 42704701 >> exten => _X42704701,1,Macro(dialfax,${EXTEN:-8}) ; case with 042704701 >> exten => _XXXX42704701,1,Macro(dialfax,${EXTEN:-8}) ; case with +3242704701 >> exten => _XXX42704701,1,Macro(dialfax,${EXTEN:-8}) ; case with 3242704701 >> >> I have try _.42704701 but the parser stop to check after the point "." :-( >> >> So did you have any suggestion ? >> >> Regards >> >> Armand Fumal >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Sat, 23 Jul 2011 17:48:44 +0200 >> From: Patrick Lists<asterisk-list at puzzled.xs4all.nl> >> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid >> sending, "SIP/2.0 603 Declined" >> To: Asterisk Users Mailing List - Non-Commercial Discussion >> <asterisk-users at lists.digium.com> >> Message-ID:<4E2AED5C.9080901 at puzzled.xs4all.nl> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> On 07/23/2011 04:00 PM, Paul Belanger wrote: >>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >>> (Not Acceptable Here) response. Such a response SHOULD include a >>> Warning header field value explaining why the offer was rejected. >> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC >> created by people who had no appreciation for the rather ugly world out >> there then why not throw the RFC out of the window and *not* reject an >> invite with a 488? It sounds like an interesting option to add to >> "10"/trunk. Better secure than compliant& sorry. Why not do a little >> Microsoft Embrace& Extent? Like e.g. Sonus and Cisco do with their >> interpretation of SIP. >> >> Regards, >> Patrick >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Sat, 23 Jul 2011 12:07:49 -0400 >> From: Paul Belanger<pabelanger at digium.com> >> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid >> sending, "SIP/2.0 603 Declined" >> To: asterisk-users at lists.digium.com >> Message-ID:<4E2AF1D5.80305 at digium.com> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> On 11-07-23 11:48 AM, Patrick Lists wrote: >>> On 07/23/2011 04:00 PM, Paul Belanger wrote: >>>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >>>> (Not Acceptable Here) response. Such a response SHOULD include a >>>> Warning header field value explaining why the offer was rejected. >>> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC >>> created by people who had no appreciation for the rather ugly world out >>> there then why not throw the RFC out of the window and *not* reject an >>> invite with a 488? It sounds like an interesting option to add to >>> "10"/trunk. Better secure than compliant& sorry. Why not do a little >>> Microsoft Embrace& Extent? Like e.g. Sonus and Cisco do with their >>> interpretation of SIP. >>> >> Personally, I don't see this as a solutions. SIP already provides some >> ability to help with security (EG: TLS, SRTP) however that is basically >> the extent of it. >> >> The way I see it, it is outside the scope of SIP; it's a signaling >> protocol. If 'security' is really something you want to establish, many >> existing tools are available to handle this (EG: VPN, firewalls, >> encryption, etc). >> >> As previously mentioned, there is no easy, simple solution. Securing >> ones services takes work (and time) to do it right. Most people don't >> want to spend the effort monitoring it. >> >> -- >> Paul Belanger >> Digium, Inc. | Software Developer >> twitter: pabelanger | IRC: pabelanger (Freenode) >> Check us out at: http://digium.com& http://asterisk.org >> >> >> >> ------------------------------ >> >> _______________________________________________ >> --Bandwidth and Colocation Provided by http://www.api-digital.com-- >> >> AstriCon 2010 - October 26-28 Washington, DC >> Register Now: http://www.astricon.net/ >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> End of asterisk-users Digest, Vol 84, Issue 44 >> ********************************************** >> > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On 11-07-23 01:38 PM, CDR wrote:> I beg to differ. Digium is hiding from the real world and somebody is > going take the software and run with it. My customers lost in excess > of $50.000 and cut my pay in half, because of hackers. The hackers > figured out how to scan every asterisk for weak passwords or open > ports, and bang them real good. We need two things: a) disable in > sip.conf the reply for INVITES that have wrong user information, and > also, b) disable any response to any REGISTER packet altogether. Can > somebody please write patch? Or should we go broke trying to stop the > flood of criminals coming from abroad? > Federico >I'm not sure I understand your statement. Because your customer was hacked for $50,000 and your pay was cut in half, it is a result of Digium (or the Asterisk project) 'hiding from the real world'? Your previous point aside, may I ask how your client solved the problem? I'm assuming they are still operating an Asterisk box without the patches you have requested. -- Paul Belanger Digium, Inc. | Software Developer twitter: pabelanger | IRC: pabelanger (Freenode) Check us out at: http://digium.com & http://asterisk.org
> -----Original Message----- > From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users- > bounces at lists.digium.com] On Behalf Of CDR > Sent: Saturday, July 23, 2011 1:39 PM > To: asterisk-users at lists.digium.com > Subject: [asterisk-users] Securing Asterisk > > I beg to differ. Digium is hiding from the real world and somebody is going > take the software and run with it. My customers lost in excess of $50.000 and > cut my pay in half, because of hackers. The hackers figured out how to scan > every asterisk for weak passwords or open ports, and bang them real good. > We need two things: a) disable in sip.conf the reply for INVITES that have > wrong user information, and also, b) disable any response to any REGISTER > packet altogether. Can somebody please write patch? Or should we go > broke trying to stop the flood of criminals coming from abroad? > FedericoWe use fail2ban to prevent brute force password hacking. We don't allow weak passwords. This isn't rocket science.
On Sat, Jul 23, 2011 at 1:38 PM, CDR <venefax at gmail.com> wrote:> I beg to differ. Digium is hiding from the real world and somebody isBecause you have no clue how to secure a box its someone elses fault?> going take the software and run with it. My customers lost in excess > of $50.000 and cut my pay in half, because of hackers. The hackersYou deserved being fired all together. It was YOUR fault they hacked it.> figured out how to scan every asterisk for weak passwords or open > ports, and bang them real good. We need two things: a) disable in > sip.conf the reply for INVITES that have wrong user information, and > also, b) disable any response to any REGISTER packet altogether. Can > somebody please write ?patch? Or should we go broke trying to stop the > flood of criminals coming from abroad? > Federico > > On Sat, Jul 23, 2011 at 1:00 PM, > <asterisk-users-request at lists.digium.com> wrote: >> Send asterisk-users mailing list submissions to >> ? ? ? ?asterisk-users at lists.digium.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> ? ? ? ?http://lists.digium.com/mailman/listinfo/asterisk-users >> or, via email, send a message with subject or body 'help' to >> ? ? ? ?asterisk-users-request at lists.digium.com >> >> You can reach the person managing the list at >> ? ? ? ?asterisk-users-owner at lists.digium.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of asterisk-users digest..." >> >> >> Today's Topics: >> >> ? 1. Re: use dahdi for local terminal modem access? (Lyle Giese) >> ? 2. dialplan pattern help (Armand Fumal) >> ? 3. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 >> ? ? ?Declined" (Patrick Lists) >> ? 4. Re: Securing Asterisk - How to avoid sending, "SIP/2.0 603 >> ? ? ?Declined" (Paul Belanger) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Sat, 23 Jul 2011 09:29:26 -0500 >> From: Lyle Giese <lyle at lcrcomputer.net> >> Subject: Re: [asterisk-users] use dahdi for local terminal modem >> ? ? ? ?access? >> To: asterisk-users at lists.digium.com >> Message-ID: <4E2ADAC6.4010101 at lcrcomputer.net> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> >> On 07/22/11 22:47, William Stillwell wrote: >>> Um, no VOIP involved here. >> >> Wrong. ?What do you think Asterisk is? ?Chopped meat? ?It's a VoIP >> switch. ?All traffic inside Asterisk is VoIP. >> >>> >>> I have an asterisk server with 2 23B+D PRI's >>> >>> I want to telnet/ssh into the asterisk server, and make an outbound call >>> serial based modem/terminal connection (Like the 80/90's BBS Days). >>> >>> No TCP/IP or PPP or crazyness >>> >>> (ie, dialing into a Modem set to AA hooked to a Cisco Console Port) >>> >>> >>> >>>> -----Original Message----- >>>> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users- >>>> bounces at lists.digium.com] On Behalf Of Lyle Giese >>>> Sent: Friday, July 22, 2011 8:07 PM >>>> To: asterisk-users at lists.digium.com >>>> Subject: Re: [asterisk-users] use dahdi for local terminal modem >>>> access? >>>> >>>> On 07/22/11 18:13, William Stillwell wrote: >>>>> I have some terminals that have phone lines. >>>>> >>>>> One of my tech had an idea of using IAXmodem or something similar to >>>> use >>>>> existing PRI/DAHDI Trucks for dial out via the asterisk/Linux >>>> console. >>>>> >>>>> Anybody ever heard of doing this? >>>>> >>>>> I would think maybe would use iaxmodem maybe and a shell terminal >>>> app? >>>>> >>>>> (basically I'm dialing into a remote access device that uses a pots >>>> like >>>>> for remote administration, and don't want to string a channel bank >>>> off >>>>> my asterisk box, and a hook to a modem) >>>>> >>>>> >>>>> >>>>> -- >>>> >>>> Depends on your expectation. ?Because of compression in the codecs, it >>>> will be hard to get fast dialup. ?If you mean ssh or telnet, it might >>>> work. ?If you mean vnc or RDP over this, you may not get enough usable >>>> bandwidth to do that. >>>> >>>> Given this, I have in an emergency dialed into a RAS server via a VoIP >>>> line. My laptop connected at 14,400bps. ?All I needed to do was telnet >>>> into an APC masterswitch to toggle power on one outlet. ?It worked. >>>> >>>> I was surprised at getting a 14,400bps connect. ?I was not expecting >>>> that high and really did not need that high. ?300 baud probably would >>>> have been fast enough to telnet into an APC masterswitch. >>>> >>>> Lyle Giese >>>> LCR Computer Services, Inc. >>>> >>>> -- >>>> _____________________________________________________________________ >>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>>> ? ? ? ? ? ? ? ? http://www.asterisk.org/hello >>>> >>>> asterisk-users mailing list >>>> To UNSUBSCRIBE or update options visit: >>>> ? ? http://lists.digium.com/mailman/listinfo/asterisk-users >>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> New to Asterisk? Join us for a live introductory webinar every Thurs: >>> ? ? ? ? ? ? ? ? http://www.asterisk.org/hello >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> ? ? http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> >> >> ------------------------------ >> >> Message: 2 >> Date: Sat, 23 Jul 2011 14:30:42 +0000 >> From: Armand Fumal <af at cybernet.lu> >> Subject: [asterisk-users] dialplan pattern help >> To: "asterisk-users at lists.digium.com" >> ? ? ? ?<asterisk-users at lists.digium.com> >> Message-ID: >> ? ? ? ?<2584E1ABC3629C4D85A61B8DC4D27297096F1432 at EXCHANGELU.lu.cybernet.local> >> >> Content-Type: text/plain; charset="us-ascii" >> >> Hi all, >> >> I need help for make a pattern for a special case that i can't find the solution. >> >> In my case I want to match these in one pattern: >> >> This is the same ext that can come in 4 cases >> >> exten => _42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ; case with 42704701 >> exten => _X42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ? ? ? ?; case with 042704701 >> exten => _XXXX42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ; case with +3242704701 >> exten => _XXX42704701,1,Macro(dialfax,${EXTEN:-8}) ? ? ? ? ? ? ?; case with 3242704701 >> >> I have try _.42704701 but the parser stop to check after the point "." ? ?:-( >> >> So did you have any suggestion ? >> >> Regards >> >> Armand Fumal >> >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Sat, 23 Jul 2011 17:48:44 +0200 >> From: Patrick Lists <asterisk-list at puzzled.xs4all.nl> >> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid >> ? ? ? ?sending, "SIP/2.0 603 Declined" >> To: Asterisk Users Mailing List - Non-Commercial Discussion >> ? ? ? ?<asterisk-users at lists.digium.com> >> Message-ID: <4E2AED5C.9080901 at puzzled.xs4all.nl> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> On 07/23/2011 04:00 PM, Paul Belanger wrote: >>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >>> (Not Acceptable Here) response. Such a response SHOULD include a >>> Warning header field value explaining why the offer was rejected. >> >> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC >> created by people who had no appreciation for the rather ugly world out >> there then why not throw the RFC out of the window and *not* reject an >> invite with a 488? It sounds like an interesting option to add to >> "10"/trunk. Better secure than compliant & sorry. Why not do a little >> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their >> interpretation of SIP. >> >> Regards, >> Patrick >> >> >> >> ------------------------------ >> >> Message: 4 >> Date: Sat, 23 Jul 2011 12:07:49 -0400 >> From: Paul Belanger <pabelanger at digium.com> >> Subject: Re: [asterisk-users] Securing Asterisk - How to avoid >> ? ? ? ?sending, "SIP/2.0 603 Declined" >> To: asterisk-users at lists.digium.com >> Message-ID: <4E2AF1D5.80305 at digium.com> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> On 11-07-23 11:48 AM, Patrick Lists wrote: >>> On 07/23/2011 04:00 PM, Paul Belanger wrote: >>>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488 >>>> (Not Acceptable Here) response. Such a response SHOULD include a >>>> Warning header field value explaining why the offer was rejected. >>> >>> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC >>> created by people who had no appreciation for the rather ugly world out >>> there then why not throw the RFC out of the window and *not* reject an >>> invite with a 488? It sounds like an interesting option to add to >>> "10"/trunk. Better secure than compliant & sorry. Why not do a little >>> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their >>> interpretation of SIP. >>> >> Personally, I don't see this as a solutions. ?SIP already provides some >> ability to help with security (EG: TLS, SRTP) however that is basically >> the extent of it. >> >> The way I see it, it is outside the scope of SIP; it's a signaling >> protocol. If 'security' is really something you want to establish, many >> existing tools are available to handle this (EG: VPN, firewalls, >> encryption, etc). >> >> As previously mentioned, there is no easy, simple solution. Securing >> ones services takes work (and time) to do it right. ?Most people don't >> want to spend the effort monitoring it. >> >> -- >> Paul Belanger >> Digium, Inc. | Software Developer >> twitter: pabelanger | IRC: pabelanger (Freenode) >> Check us out at: http://digium.com & http://asterisk.org >> >> >> >> ------------------------------ >> >> _______________________________________________ >> --Bandwidth and Colocation Provided by http://www.api-digital.com-- >> >> AstriCon 2010 - October 26-28 Washington, DC >> Register Now: http://www.astricon.net/ >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> ? http://lists.digium.com/mailman/listinfo/asterisk-users >> >> End of asterisk-users Digest, Vol 84, Issue 44 >> ********************************************** >> > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > ? ? ? ? ? ? ? http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > ? http://lists.digium.com/mailman/listinfo/asterisk-users >
On 07/23/2011 11:39 PM, C F wrote:> On Sat, Jul 23, 2011 at 1:38 PM, CDR<venefax at gmail.com> wrote: >> I beg to differ. Digium is hiding from the real world and somebody is > > Because you have no clue how to secure a box its someone elses fault?Of course! Does Call Detail Record need to repeat himself? -- Alex Balashov - Principal Evariste Systems LLC 260 Peachtree Street NW Suite 2200 Atlanta, GA 30303 Tel: +1-678-954-0670 Fax: +1-404-961-1892 Web: http://www.evaristesys.com/
Only way to cope with hackers would be that Digium comes to its senses and accepts to disable any response to a REGISTER whose username is unknown. I cannot think of a good reason why Digium finds this proposal unacceptable, given the onslaught of hacking that we are seeing in the industry. It may take a single line of code and it would save millions of $$$. Not only because the hackers will never get in, but because we would save a huge CPU impact responding to hundreds of REGISTER attempts per minute. It is a NO brainer. Can please the Powers that Be reconsider and add this option to sip.conf? Please?
> Can please the Powers that Be reconsider and add this option to sip.conf?What "Powers that Be"? This is open-source software! If you need an option in sip.conf, just add it!
On 23/07/11 18:38, CDR wrote:> I beg to differ. Digium is hiding from the real world and somebody is > going take the software and run with it. My customers lost in excess > of $50.000 and cut my pay in half, because of hackers. The hackers > figured out how to scan every asterisk for weak passwords or open > ports, and bang them real good. We need two things: a) disable in > sip.conf the reply for INVITES that have wrong user information, and > also, b) disable any response to any REGISTER packet altogether. Can > somebody please write patch? Or should we go broke trying to stop the > flood of criminals coming from abroad? > Federico >Not looking for an argument here but you are asking for a solution to a problem that doesn't exist. If you'd done your job properly in the first place you'd have put some basic intrusion detection on such as fail2ban, OSSEC or just a basic bash script of your own writing. The solution is already there and it's not trying to bodge Asterisk into a firewall application. If you'd done that (and instructions on how to are literally all over the Internet and this mailing list) then your customer wouldn't be $50,000 down, you'd still have your full pay and you'd not be asking for people to break Asterisk's SIP implementation (even more :P ) in order to stop you having to do things the right way. Sorry if the truth hurts...
This is turning into a political issue such as the one in Washington and the impending default on US debt. The point is that a minor change in the code would have a dramatic effect on security, and carry a lower impact on CPU that using Iptables. The simplicity of the change cannot understated. The hackers do not continue sending packets with new REGISTER attempts unless they see a response. The would move on. Digium is being monarchical about this. It looks like a loss of contact with reality. The vast ecosystem of Digium is made of hundreds of people like me. I am being forced now to place Opensips in front of Asterisk, in port 5060, set Asterisk to listen at Port 5061, and block access to 5061 from outside. Instead of a minor change, I have to bring a second application to the picture. The reason why I find useless using iptables and a rule that bans an IP address if it communicates more than a threshold of times, is simple. I have customers that hit me 10+ times per seconds from the same IP. It would look like a hacker, and it is not. I use a cluster of Asterisk in the same box, a big server, and each asterisks listens in its own network interface, and responds from it. It does work. But iptables or fail2ban would not work in a wholesale scenario. Any way, thanks for your attention.