[SR-Users] Security hygiene for Kamailio

davy van de moere davy.van.de.moere at gmail.com
Wed Jan 29 12:37:15 CET 2014 

I started the pages, to be found :

http://www.kamailio.org/wiki/tutorials/security/security-threats
http://www.kamailio.org/wiki/tutorials/security/kamailio-security

They are a long from being complete, but it's a start, feel free to
modify/correct/add content!


2013-12-18 davy <davy.van.de.moere at gmail.com>

> ACK
>
> :)
>
> Op 18-dec.-2013, om 15:30 heeft Daniel-Constantin Mierla <
> miconda at gmail.com> het volgende geschreven:
>
> > Hello,
> >
> > On 18/12/13 10:53, davy wrote:
> >> Cool, I'll spend some time this weekend to have a first stake in the
> ground on the wiki !
> >
> > great! Just use namespaces when creating new pages, to have a good
> structure of the wiki. It can be something under tutorials, such as:
> >
> > tutorials:security:TITLE
> >
> > where TITLE can be what you consider more appropriate, such  as
> 'how-to', 'remarks' or what so ever...
> >
> > Cheers,
> > Daniel
> >>
> >> It's better to have our security measures being checked by peers than
> by hackers ;)
> >>
> >>
> >>
> >> Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <
> miconda at gmail.com> het volgende geschreven:
> >>
> >>> Hello,
> >>>
> >>> On 17/12/13 17:27, davy wrote:
> >>>> Hi all,
> >>>>
> >>>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we
> see it successfully fight off the "friendly-scanner", and multiple futile
> attempts to fool our systems. But it got me thinking...
> >>>>
> >>>> What is a sufficient level of security on our Kamailio machinery... ?
> Are we all just doing whatever, or is the nature of the beast, that every
> setup is different?
> >>> Indeed, Kamailio being more like a framework, lot of deployments are
> different, even when targeting same features. In some cases, dictionary
> attacks don't apply (e.g., carriers interconnect when traffic is allowed by
> IP address).
> >>>> Eventually while having a beer, we will end up in the discussion
> Kamailio is as good (and even much better) as most of the commercially
> available SBCs. But, imho, that all depends on the configuration.
> >>>>
> >>>> There are a few good reads available, and on the security front I
> personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing
> rather clever stuff with CNXCC... And I do feel comfortable on my setups,
> them won't be hacked...
> >>>>
> >>>> But do we have a-sort -of stake in the ground example configuration
> which we can consider as being more than sufficiently secure? Some config
> where we can tick off all the known security risks for SIP (as chapter 26
> of rfc3261 gives a state of the art back in 2002) Or would that be a nice
> idea for a micro project?
> >>> It would be good to create a page (or group or pages) in
> kamailio.org/wiki to approach security considerations. Besides the well
> known situations and solutions for attacks, it happens quite often to see
> new types of attacks, so adding notes there along with hints on how to
> solve with Kamailio would be very useful for everybody.
> >>>
> >>> Long time ago I made a wiki tutorial on my company site:
> >>> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
> >>>
> >>> I don't mind being cloned and improved (well, I guess some parts could
> be trimmed as might not be relevant in general and some need to be updated
> for latest version).
> >>>
> >>> There are many types of attacks not mentioned there, that can be
> highlighted for everyone to pay attention, e.g.,:
> >>> - nonce reply (use one time nonce with auth module)
> >>> - proper handling of route headers to avoid preset route headers in
> initial invite (is done in the default config file, but pointing at it
> makes people be more careful and don't miss it when building new configs)
> >>>
> >>> Overall, yes, security is a topic very useful, hopefully there are be
> enough people willing to spend some time and share information.
> >>>
> >>> Cheers,
> >>> Daniel
> >>> -
> >>>
> >>> --
> >>> Daniel-Constantin Mierla - http://www.asipto.com
> >>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> >>>
> >
> > --
> > Daniel-Constantin Mierla - http://www.asipto.com
> > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140129/97c66e7b/attachment.html>

More information about the sr-users mailing list