{"id":108,"date":"2012-11-01T23:22:29","date_gmt":"2012-11-01T23:22:29","guid":{"rendered":"http:\/\/cyber-cottage.co.uk\/en\/?p=108"},"modified":"2012-11-01T23:22:29","modified_gmt":"2012-11-01T23:22:29","slug":"better-sip-security","status":"publish","type":"post","link":"https:\/\/www.cyber-cottage.co.uk\/?p=108","title":{"rendered":"Better SIP security"},"content":{"rendered":"\n\n\n
In Seven Steps<\/strong><\/p>\n

Original Text by J Todd\u00a0March 28th, 2009<\/p>\n

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is \u201cscript kiddies.\u201d \u00a0In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included. \u00a0There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.You can take steps, NOW, to eliminate many of these problems. \u00a0I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn\u2019t mean you should wait for some new tool to defend your systems. \u00a0You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase.\u00a0The methods and tools for protection already exists \u2013 just apply them, and you\u2019ll be able to sleep more soundly at night.<\/p>\n

Seven Easy Steps to Better SIP Security on Asterisk:<\/strong><\/div>\n

 <\/p>\n

1) Don\u2019t accept SIP authentication requests from all IP addresses.<\/strong>\u00a0\u00a0Use the \u201cpermit=\u201d and \u201cdeny=\u201d lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension\/user in your sip.conf file. \u00a0Even if you accept inbound calls from \u201canywhere\u201d (via [default]) don\u2019t let those users reach authenticated elements!<\/div>\n

 <\/p>\n

2) Set \u201calwaysauthreject=yes\u201d in your sip.conf file.<\/strong>\u00a0\u00a0This option has been around for a while (since 1.2?) but the default is \u201cno\u201d, which allows extension information leakage. \u00a0Setting this to \u201cyes\u201d will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.<\/div>\n

 <\/p>\n

3) Use STRONG passwords for SIP entities.<\/strong>\u00a0\u00a0This is probably the most important step you can take. \u00a0Don\u2019t just concatenate two words together and suffix it with \u201c1? \u2013 if you\u2019ve seen how sophisticated the tools are that guess passwords, you\u2019d understand that trivial obfuscation like that is a minor hinderance to a modern CPU. \u00a0Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.<\/div>\n

 <\/p>\n

4) Block your AMI manager ports.<\/strong>\u00a0\u00a0Use \u201cpermit=\u201d and \u201cdeny=\u201d lines in manager.conf to reduce inbound connections to known hosts only. \u00a0Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.<\/div>\n

 <\/p>\n

5) Allow only one or two calls at a time per SIP entity, where possible.<\/strong>\u00a0\u00a0At the worst, limiting your exposure to toll fraud is a wise thing to do. \u00a0This also limits your exposure when legitimate password holders on your system lose control of their passphrase \u2013 writing it on the bottom of the SIP phone, for instance, which I\u2019ve seen.<\/div>\n

 <\/p>\n

6) Make your SIP usernames different than your extensions.<\/strong>\u00a0\u00a0While it is convenient to have extension \u201c1234? map to SIP entry \u201c1234? which is also SIP user \u201c1234?, this is an easy target for attackers to guess SIP authentication names. \u00a0Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try \u201cmd5 -s ThePassword5000?)<\/div>\n

 <\/p>\n

7) Ensure your [default] context is secure<\/strong>. \u00a0Don\u2019t allow unauthenticated callers to reach any contexts that allow toll calls. \u00a0Permit only a limited number of active calls through your default context (use the \u201cGROUP\u201d function as a counter.) \u00a0Prohibit unauthenticated calls entirely (if you don\u2019t want them) by setting \u201callowguest=no\u201d in the [general] part of sip.conf.<\/div>\n

 <\/p>\n

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive. \u00a0Here is a\u00a0fail2ban recipe<\/a>\u00a0which might allow you to ban endpoints based on volume of requests. \u00a0There is discussion on the asterisk-user and asterisk-dev\u00a0mailing lists of incorporating this type of functionality into Asterisk \u2013 let\u2019s hear your ideas!<\/div>\n

 <\/p>\n

\n
If you\u2019d like to see an example of the tools that you\u2019re up against, see\u00a0this demo video<\/a>\u00a0of an automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.<\/div>\n
<\/div>\n<\/div>\n
In summary: basic security measures will protect you against the vast majority of SIP-based brute-force attacks. \u00a0Most of the SIP attackers are fools with tools \u2013 they are opportunists who see an easy way to defraud people who have not considered the costs of insecure methods. \u00a0Asterisk has some methods to prevent the most obvious attacks from succeeding at the network level, but the most effective method of protection are the administrative issues of password robustness and username obscurity.<\/div>\n

 <\/p>\n

JTodd
\nDigium<\/a><\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"

In Seven Steps Original Text by J Todd\u00a0March 28th, 2009 In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is \u201cscript kiddies.\u201d \u00a0In the last few months, a number of new tools have made it easy for knuckle-draggers to attack […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[11],"tags":[23,33,35,51,68,100,76,77],"class_list":["post-108","post","type-post","status-publish","format-standard","hentry","category-knowledge","tag-asterisk","tag-digium","tag-elastix","tag-linux","tag-security","tag-technical","tag-voip","tag-xorcom"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p5daZy-1K","jetpack_sharing_enabled":true,"jetpack_likes_enabled":false,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/108","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=108"}],"version-history":[{"count":0,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/108\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cyber-cottage.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}