I started the pages, to be found :
http://www.kamailio.org/wiki/tutorials/security/security-threats http://www.kamailio.org/wiki/tutorials/security/kamailio-security
They are a long from being complete, but it's a start, feel free to modify/correct/add content!
2013-12-18 davy davy.van.de.moere@gmail.com
ACK
:)
Op 18-dec.-2013, om 15:30 heeft Daniel-Constantin Mierla < miconda@gmail.com> het volgende geschreven:
Hello,
On 18/12/13 10:53, davy wrote:
Cool, I'll spend some time this weekend to have a first stake in the
ground on the wiki !
great! Just use namespaces when creating new pages, to have a good
structure of the wiki. It can be something under tutorials, such as:
tutorials:security:TITLE
where TITLE can be what you consider more appropriate, such as
'how-to', 'remarks' or what so ever...
Cheers, Daniel
It's better to have our security measures being checked by peers than
by hackers ;)
Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <
miconda@gmail.com> het volgende geschreven:
Hello,
On 17/12/13 17:27, davy wrote:
Hi all,
we all enjoy our FAIL2BAN and snippets of our Kamailio config when we
see it successfully fight off the "friendly-scanner", and multiple futile attempts to fool our systems. But it got me thinking...
What is a sufficient level of security on our Kamailio machinery... ?
Are we all just doing whatever, or is the nature of the beast, that every setup is different?
Indeed, Kamailio being more like a framework, lot of deployments are
different, even when targeting same features. In some cases, dictionary attacks don't apply (e.g., carriers interconnect when traffic is allowed by IP address).
Eventually while having a beer, we will end up in the discussion
Kamailio is as good (and even much better) as most of the commercially available SBCs. But, imho, that all depends on the configuration.
There are a few good reads available, and on the security front I
personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather clever stuff with CNXCC... And I do feel comfortable on my setups, them won't be hacked...
But do we have a-sort -of stake in the ground example configuration
which we can consider as being more than sufficiently secure? Some config where we can tick off all the known security risks for SIP (as chapter 26 of rfc3261 gives a state of the art back in 2002) Or would that be a nice idea for a micro project?
It would be good to create a page (or group or pages) in
kamailio.org/wiki to approach security considerations. Besides the well known situations and solutions for attacks, it happens quite often to see new types of attacks, so adding notes there along with hints on how to solve with Kamailio would be very useful for everybody.
Long time ago I made a wiki tutorial on my company site:
I don't mind being cloned and improved (well, I guess some parts could
be trimmed as might not be relevant in general and some need to be updated for latest version).
There are many types of attacks not mentioned there, that can be
highlighted for everyone to pay attention, e.g.,:
- nonce reply (use one time nonce with auth module)
- proper handling of route headers to avoid preset route headers in
initial invite (is done in the default config file, but pointing at it makes people be more careful and don't miss it when building new configs)
Overall, yes, security is a topic very useful, hopefully there are be
enough people willing to spend some time and share information.
Cheers, Daniel
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
-- Daniel-Constantin Mierla - http://www.asipto.com http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda