Cool, I'll spend some time this weekend to have a first stake in the ground on the wiki !
It's better to have our security measures being checked by peers than by hackers ;) Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <mico...@gmail.com> het volgende geschreven: > Hello, > > On 17/12/13 17:27, davy wrote: >> Hi all, >> >> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it >> successfully fight off the "friendly-scanner", and multiple futile attempts >> to fool our systems. But it got me thinking… >> >> What is a sufficient level of security on our Kamailio machinery… ? Are we >> all just doing whatever, or is the nature of the beast, that every setup is >> different? > Indeed, Kamailio being more like a framework, lot of deployments are > different, even when targeting same features. In some cases, dictionary > attacks don't apply (e.g., carriers interconnect when traffic is allowed by > IP address). >> >> Eventually while having a beer, we will end up in the discussion Kamailio is >> as good (and even much better) as most of the commercially available SBCs. >> But, imho, that all depends on the configuration. >> >> There are a few good reads available, and on the security front I personally >> love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather >> clever stuff with CNXCC… And I do feel comfortable on my setups, them won't >> be hacked… >> >> But do we have a-sort -of stake in the ground example configuration which we >> can consider as being more than sufficiently secure? Some config where we >> can tick off all the known security risks for SIP (as chapter 26 of rfc3261 >> gives a state of the art back in 2002) Or would that be a nice idea for a >> micro project? > It would be good to create a page (or group or pages) in kamailio.org/wiki to > approach security considerations. Besides the well known situations and > solutions for attacks, it happens quite often to see new types of attacks, so > adding notes there along with hints on how to solve with Kamailio would be > very useful for everybody. > > Long time ago I made a wiki tutorial on my company site: > - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack > > I don't mind being cloned and improved (well, I guess some parts could be > trimmed as might not be relevant in general and some need to be updated for > latest version). > > There are many types of attacks not mentioned there, that can be highlighted > for everyone to pay attention, e.g.,: > - nonce reply (use one time nonce with auth module) > - proper handling of route headers to avoid preset route headers in initial > invite (is done in the default config file, but pointing at it makes people > be more careful and don't miss it when building new configs) > > Overall, yes, security is a topic very useful, hopefully there are be enough > people willing to spend some time and share information. > > Cheers, > Daniel > - > > -- > Daniel-Constantin Mierla - http://www.asipto.com > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
