System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M

601

602

603

604

605

606

607

608

609

610

These account scans take advantage of the fact that the response that comes back from

the server for a registration attempt will differ depending on whether or not the account

exists. If the account exists, the server will request authentication. If the account does

not exist, the server will immediately deny the registration attempt. This behavior is

just how the protocol is defined. This leads us to our second tip for Asterisk security:

Tip #2: Set alwaysauthreject to yes in the [general] section of /etc/asterisk/sip.conf. This

option tells Asterisk to respond as if every account is valid, which makes scanning for

valid usernames useless.

Authentication Weaknesses

The first section of this chapter discussed scanning for usernames. Even if you have

usernames that are difficult to guess, it is critical that you have strong passwords as

well. If an attacker is able to obtain a valid username, he will attempt to brute-force the

password. Strong passwords make this much more difficult to do.

The default authentication scheme for both the SIP and IAX2 protocols is weak. Au-

thentication is done using an MD5 challenge and response mechanism. If an attacker

is able to capture any call traffic, such as a SIP call made from a laptop on an open

wireless network, it will be much easier to work on brute-forcing the password since it

will not require authentication requests to the server.

Tip #3: Use strong passwords. There are countless resources available on the Internet

that help define what constitutes a strong password. There are also many strong password

generators available. Use them!

IAX2 provides the option of using key-based authentication, as well as full encryption

of a call. The SIP support in Asterisk includes TLS support, which provides encryption

for the SIP signaling.

Tip #4: If you are using IAX2, use key-based authentication. This is a much stronger

authentication method than the default MD5-based challenge-response method. For

further enhanced security with IAX2, use the option to encrypt the entire call. If you are

using SIP, use TLS to encrypt the SIP signaling. This will prevent an attacker from cap-

turing a successful authentication exchange with the server.

For more information about setting up IAX2 or SIP encryption, see Chapter 7.

Fail2ban

The last two sections discussed attacks involving scanning for valid usernames and

brute-forcing passwords. Fail2ban is an application that can watch your Asterisk logs

and update firewall rules to block the source of an attack in response to too many failed

authentication attempts.

Tip #5: Use Fail2ban when exposing Voice over IP services on untrusted networks to

automatically update the firewall rules to block the sources of attacks.

Fail2ban | 567