18 Dec
2013
18 Dec
'13
5:02 a.m.
On 18 Dec 2013, at 10:53, davy <davy.van.de.moere(a)gmail.com> wrote:
Cool, I'll spend some time this weekend to have a
first stake in the ground on the wiki !
It's better to have our security measures being checked by peers than by hackers ;)
Thank you, Davy!
When you've got a template, ping me. I can send out info on the web site, FB and
twitter to get feedback and cooperation.
/O
Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <miconda(a)gmail.com> het
volgende geschreven:
Hello,
On 17/12/13 17:27, davy wrote:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users Hi all,
we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it successfully
fight off the "friendly-scanner", and multiple futile attempts to fool our
systems. But it got me thinking…
What is a sufficient level of security on our Kamailio machinery… ? Are we all just doing
whatever, or is the nature of the beast, that every setup is different?
Indeed,
Kamailio being more like a framework, lot of deployments are different, even when
targeting same features. In some cases, dictionary attacks don't apply (e.g., carriers
interconnect when traffic is allowed by IP address).
Eventually while having a beer, we will end up in the discussion Kamailio is as good (and
even much better) as most of the commercially available SBCs. But, imho, that all depends
on the configuration.
There are a few good reads available, and on the security front I personally love Pike,
Topoh, Dnssec, Htable and recently I think I'm doing rather clever stuff with CNXCC…
And I do feel comfortable on my setups, them won't be hacked…
But do we have a-sort -of stake in the ground example configuration which we can consider
as being more than sufficiently secure? Some config where we can tick off all the known
security risks for SIP (as chapter 26 of rfc3261 gives a state of the art back in 2002) Or
would that be a nice idea for a micro project?
It would be good to create a page
(or group or pages) in kamailio.org/wiki to approach security considerations. Besides the
well known situations and solutions for attacks, it happens quite often to see new types
of attacks, so adding notes there along with hints on how to solve with Kamailio would be
very useful for everybody.
Long time ago I made a wiki tutorial on my company site:
- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
I don't mind being cloned and improved (well, I guess some parts could be trimmed as
might not be relevant in general and some need to be updated for latest version).
There are many types of attacks not mentioned there, that can be highlighted for everyone
to pay attention, e.g.,:
- nonce reply (use one time nonce with auth module)
- proper handling of route headers to avoid preset route headers in initial invite (is
done in the default config file, but pointing at it makes people be more careful and
don't miss it when building new configs)
Overall, yes, security is a topic very useful, hopefully there are be enough people
willing to spend some time and share information.
Cheers,
Daniel
-
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda