How common are wide open SIP gateways?

Scott Howard scott at doc.net.au
Fri Feb 5 21:27:14 UTC 2010


On Fri, Feb 5, 2010 at 9:45 AM, David Birnbaum <davidb at pins.net> wrote:
> We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts.
> FreePBX had some truck-sized holes in it.


Most/all of the big issues that existed in previous version of
Asterisk/FreePBX have been resolved in later releases.

The majority of the "stolen SIP" cases I've heard of have come down to
brute forcing of often very insecure passwords - quite often stupid
insecure passwords like the same as the username.  And of course the
username itself is normally the extension, which makes is relatively
easy to guess (if "100" doesn't exist, then "200" or "1000" probably
does, etc).

Then there's the issue of unencrypted/unsecured phone provisioning
files, complete with SIP usernames/passwords,  hosted on internet
webservers - often with the only security being your ability to guess
the MAC address...

> On our relatively small client base, we are seing SIP probing on more or
> less a non-stop basis, and some of our customers have been hacked over the

Presuming you're running Asterisk, fail2ban can help.  The only real
issue I've had with it is that many softphones will repeated try to
register if you get the password wrong, so a user entering their
username/password even only once will get them blocked for X minutes.

  Scott




More information about the NANOG mailing list