Asterisk security


#1

I have my astesisk box up and running now, and it is great.
I have several external voip phones but I am a paranoid guy, so I only allowing that particular IP in my firewall.
I have done all the other security tip, like fail2ban, alwaysauthreject=yes and so on.
But what I realy want is a way to allow that hardware to the asterisk. Is that possible? like a mac adress?

The reason is that the external klients have dynamic ip, so there is a lot of reporting ip back and forward.


#2

MAC-addresses would not help here as they aren’t available outside Your internal network.

The easiest way to get a good level of security for the external clients is to use contactpermit/contactdeny within Your sip-configuration if You’re able to define the networks, Your dynamic clients are registering from. This should be possible if You know, which provider gives them the IP-addresses thus You may configure the providers ranges as permitted.
In addition to this step You should make sure to use strong passwords for the clients (have a look at pwgen).

Using iptables for the allowed IP-adresses isn’t a good solution when dealing with dynamic IP-adresses. The only way to work without that much overhead within iptables could be assignment of (dynamic) domain-services to the phones and afterwards implementing a cron job just pinging these domains, gathering the associated IPs and updating the iptables-Rules, but this seems to be too much overhead in my eyes :unamused:


#3

It’s not possible. MAC addresses do not necessarily even exist (there is nothing to prevent there being a SLIP IP phone, even if there isn’t much market for them), and they re only carried in the technology specific link level headers, which will not pass the first router. If copied to another level, they are as forgeable as passwords and user ids.

Note that best practice is probably to use the MAC as the user ID, if a MAC exists.

The best you can do is tie to some shared secret, or secret asymmetric key, held in the phone. You should already be doing this using MD5 authentication, but using SIP over SSL should be more secure.


#4

Thank you all.
It did answer my question.
But even with a strong password isn’t possible for a hacker to see the password?
there is no encryption on the password from the klient?
Is a realy strong password safe enought?


#5

In standard configurations You won’t have encrypted signaling traffic for SIP incl. REGISTER-Requests and their replies with the passphrase included. Alltough the passphrase is md5-encrypted these dialogs may be attacked by somebody (man in the middle upon successful registry). However - successfull registration is only acknowledged with an 200 OK by asterisk. And - with alwaysauthreject=yes asterisk will always send the same reply for a unsucessful REGISTER-attempt no matter what the reason of the failure was.

To avoid the risk of monitoring the REGISTERING-traffic from somewhere You may use SIP/TLS for encryption of this traffic if Your sip-phones support this feature. A Howto for the asterisk side is AFAIK available within the documentation.


#6

MD5 authentication is vulnerable to offline dictionary attacks, but it doesn’t send the password over the wire.

MITM is not a normal attack mode for SIP systems.