Sebastian Arcus
2013-Jan-23 17:20 UTC
[asterisk-users] Is there a need to secure RTP ports?
I have an Asterisk server with one SIP trunk to a SIP provider. As my server registers with the SIP provider, I don't have any SIP ports open at my end to the Internet. However, I have the RTP ports open (as SIP has some trouble with my NAT). My question is - what are the vulnerabilities in this scenario at my end? I suppose some man-in-the-middle or eavesdropping attack is always a possibility - but that aside, is there anything that will attack RTP ports on Asterisk when there are no SIP ports open? I was looking into installing fail2ban - until I realised that there is no SIP port exposed for an attacker to poke at. Searching on Google for "secure RTP ports" keeps on bringing up results about SRTP - which is not exactly the answer to my question. Thank you
Danny Nicholas
2013-Jan-23 17:27 UTC
[asterisk-users] Is there a need to secure RTP ports?
As I am going to mis-explain this, an Asterisk SIP call originates on port
5060 (incoming or outgoing) then uses two RTP ports for audio in and audio
out. Police and Hackers can tap into the RTP ports to monitor your
conversations (I don't really know if the capabilities stop there) but you
can limit your exposure by changing the default 10000-20000 range to a range
of 4 per anticipated calls simultaneously. If you have 5 phones in your
shop, you aren't going to make 2500 simultaneous calls (just seems like
telemarketers can do this). Change the 10000-20000 to 10001-10040 for a 5
phone shop. This lets all 5 phones have two calls going at once.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Sebastian
Arcus
Sent: Wednesday, January 23, 2013 11:21 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: [asterisk-users] Is there a need to secure RTP ports?
I have an Asterisk server with one SIP trunk to a SIP provider. As my server
registers with the SIP provider, I don't have any SIP ports open at my end
to the Internet. However, I have the RTP ports open (as SIP has some trouble
with my NAT). My question is - what are the vulnerabilities in this scenario
at my end? I suppose some man-in-the-middle or eavesdropping attack is
always a possibility - but that aside, is there anything that will attack
RTP ports on Asterisk when there are no SIP ports open? I was looking into
installing fail2ban
- until I realised that there is no SIP port exposed for an attacker to poke
at.
Searching on Google for "secure RTP ports" keeps on bringing up
results
about SRTP - which is not exactly the answer to my question.
Thank you
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to
Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Carlos Alvarez
2013-Jan-23 17:33 UTC
[asterisk-users] Is there a need to secure RTP ports?
On Wed, Jan 23, 2013 at 10:20 AM, Sebastian Arcus <shop at open-t.co.uk> wrote:> I have an Asterisk server with one SIP trunk to a SIP provider. As my > server registers with the SIP provider, I don't have any SIP ports open at > my end to the Internet. However, I have the RTP ports open (as SIP has some > trouble with my NAT). My question is - what are the vulnerabilities in this > scenario at my end? I suppose some man-in-the-middle or eavesdropping > attack is always a possibility - but that aside, is there anything that > will attack RTP ports on Asterisk when there are no SIP ports open? I was > looking into installing fail2ban - until I realised that there is no SIP > port exposed for an attacker to poke at. >I've been working in IP telephony for about ten years. I've never once heard of any attack on the RTP ports. While you can never say anything is "impossible" there's simply nothing listening on those ports. It's probably possible to have a DOS attack where someone starts sending RTP to all of your ports and they would interfere with a call, but they couldn't do more than that. That could work if your router has full cone NAT and a lot of other things fall into place. Still kind of out there as a real threat. -- Carlos Alvarez TelEvolve 602-889-3003 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130123/05bb410d/attachment.htm>
2013-01-23 18:20, Sebastian Arcus skrev:> I have an Asterisk server with one SIP trunk to a SIP provider. As my > server registers with the SIP provider, I don't have any SIP ports open > at my end to the Internet. However, I have the RTP ports open (as SIP > has some trouble with my NAT).You could try iptables with ip_conntrack_sip ip_nat_sip. If they are loaded and you accept calls from your sip provider on port 5060 iptables inspects the sip/sdp and traffic from the endpoints are considered RELATED. I've some research/testing to do myself on this topic (it's on my always growing todo-list of doom.. :-) Maybe you should check it out? -- Johan Wilfer