[VoiceOps] Asterisk Security

J. Oquendo sil at infiltrated.net
Wed Aug 5 12:15:22 EDT 2009 

Rhett Bassett wrote:
>
> What's not to like?
>
The fact that if you used fail2ban, I can insert whatever network I like
via packetcrafting and give you headaches for days. Imagine that for a
moment - blocking I don't know say... 0.0.0.0 or better yet, if someone
has an axe to grind with you and is capable (not difficult) of tracking
down your address ranges. They could do some really cruddy stuff like
have your own servers/netblocks block themselves out, have your servers
block out your default route and the list goes on and on.

This was a huge issue a few years ago when I wrote my own customized ssh
brute force blocker... "How to check and make sure no one can inject
garbage in the mix, e.g., in ssh"

awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}'
/var/log/secure|sort

If you wanted to parse out valid networks before they're blocked then what?

awk 'NF<=10&&($6=="nvalid"||$7=="user")&&$9=="from"{print $10}'
/var/log/secure|\
sort|grep -v "192.168.x.x\|172.16.x.x\|10.x.x.x"

Multiple that by all of your netblocks, clients' static netblocks, etc.
It would be a horrible thing to maintain. I discussed this (injection)
at length with Tavis Ormandy at Gentoo some years back who whipped me into
shape over this same thing (injection) in which I actually understood
what he was saying and what I overlooked. The same thing I overlooked
(packetcrafting) is what fail2ban and others do. But anyhow, getting
*back* to Voice matters, fail2ban is not feasible in a managed
environment at all. Think about the tinkerers. Those who fiddle with
their Snoms, Polycoms, etc., those who travel and fire up softphones.
They'd instantly get banned if they fat-fingered a password. Now you
have a pretty ticked off, paying client, banned from using something
they've payed for.


-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the VoiceOps mailing list