On 18 Dec 2013, at 10:53, davy <davy.van.de.mo...@gmail.com> wrote: > Cool, I'll spend some time this weekend to have a first stake in the ground > on the wiki ! > > It's better to have our security measures being checked by peers than by > hackers ;) Thank you, Davy!
When you've got a template, ping me. I can send out info on the web site, FB and twitter to get feedback and cooperation. /O > > > > Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <mico...@gmail.com> > het volgende geschreven: > >> Hello, >> >> On 17/12/13 17:27, davy wrote: >>> Hi all, >>> >>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see >>> it successfully fight off the "friendly-scanner", and multiple futile >>> attempts to fool our systems. But it got me thinking… >>> >>> What is a sufficient level of security on our Kamailio machinery… ? Are we >>> all just doing whatever, or is the nature of the beast, that every setup is >>> different? >> Indeed, Kamailio being more like a framework, lot of deployments are >> different, even when targeting same features. In some cases, dictionary >> attacks don't apply (e.g., carriers interconnect when traffic is allowed by >> IP address). >>> >>> Eventually while having a beer, we will end up in the discussion Kamailio >>> is as good (and even much better) as most of the commercially available >>> SBCs. But, imho, that all depends on the configuration. >>> >>> There are a few good reads available, and on the security front I >>> personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing >>> rather clever stuff with CNXCC… And I do feel comfortable on my setups, >>> them won't be hacked… >>> >>> But do we have a-sort -of stake in the ground example configuration which >>> we can consider as being more than sufficiently secure? Some config where >>> we can tick off all the known security risks for SIP (as chapter 26 of >>> rfc3261 gives a state of the art back in 2002) Or would that be a nice idea >>> for a micro project? >> It would be good to create a page (or group or pages) in kamailio.org/wiki >> to approach security considerations. Besides the well known situations and >> solutions for attacks, it happens quite often to see new types of attacks, >> so adding notes there along with hints on how to solve with Kamailio would >> be very useful for everybody. >> >> Long time ago I made a wiki tutorial on my company site: >> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack >> >> I don't mind being cloned and improved (well, I guess some parts could be >> trimmed as might not be relevant in general and some need to be updated for >> latest version). >> >> There are many types of attacks not mentioned there, that can be highlighted >> for everyone to pay attention, e.g.,: >> - nonce reply (use one time nonce with auth module) >> - proper handling of route headers to avoid preset route headers in initial >> invite (is done in the default config file, but pointing at it makes people >> be more careful and don't miss it when building new configs) >> >> Overall, yes, security is a topic very useful, hopefully there are be enough >> people willing to spend some time and share information. >> >> Cheers, >> Daniel >> - >> >> -- >> Daniel-Constantin Mierla - http://www.asipto.com >> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda >> > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
