Hello,
On 17/12/13 17:27, davy wrote:
Hi all,
we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it successfully
fight off the "friendly-scanner", and multiple futile attempts to fool our
systems. But it got me thinking…
What is a sufficient level of security on our Kamailio machinery… ? Are we all
just doing whatever, or is the nature of the beast, that every setup is
different?
Indeed, Kamailio being more like a framework, lot of deployments are
different, even when targeting same features. In some cases, dictionary
attacks don't apply (e.g., carriers interconnect when traffic is allowed
by IP address).
Eventually while having a beer, we will end up in the discussion Kamailio is as
good (and even much better) as most of the commercially available SBCs. But,
imho, that all depends on the configuration.
There are a few good reads available, and on the security front I personally
love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather clever
stuff with CNXCC… And I do feel comfortable on my setups, them won't be hacked…
But do we have a-sort -of stake in the ground example configuration which we
can consider as being more than sufficiently secure? Some config where we can
tick off all the known security risks for SIP (as chapter 26 of rfc3261 gives a
state of the art back in 2002) Or would that be a nice idea for a micro project?
It would be good to create a page (or group or pages) in
kamailio.org/wiki to approach security considerations. Besides the well
known situations and solutions for attacks, it happens quite often to
see new types of attacks, so adding notes there along with hints on how
to solve with Kamailio would be very useful for everybody.
Long time ago I made a wiki tutorial on my company site:
- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
I don't mind being cloned and improved (well, I guess some parts could
be trimmed as might not be relevant in general and some need to be
updated for latest version).
There are many types of attacks not mentioned there, that can be
highlighted for everyone to pay attention, e.g.,:
- nonce reply (use one time nonce with auth module)
- proper handling of route headers to avoid preset route headers in
initial invite (is done in the default config file, but pointing at it
makes people be more careful and don't miss it when building new configs)
Overall, yes, security is a topic very useful, hopefully there are be
enough people willing to spend some time and share information.
Cheers,
Daniel
-
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
