Awesome :)
Op 18-dec.-2013, om 11:02 heeft "Olle E. Johansson" <o...@edvina.net> het volgende geschreven: > > On 18 Dec 2013, at 10:53, davy <davy.van.de.mo...@gmail.com> wrote: > >> Cool, I'll spend some time this weekend to have a first stake in the ground >> on the wiki ! >> >> It's better to have our security measures being checked by peers than by >> hackers ;) > Thank you, Davy! > > When you've got a template, ping me. I can send out info on the web site, FB > and twitter to get feedback and cooperation. > > /O > >> >> >> >> Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla <mico...@gmail.com> >> het volgende geschreven: >> >>> Hello, >>> >>> On 17/12/13 17:27, davy wrote: >>>> Hi all, >>>> >>>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see >>>> it successfully fight off the "friendly-scanner", and multiple futile >>>> attempts to fool our systems. But it got me thinking… >>>> >>>> What is a sufficient level of security on our Kamailio machinery… ? Are we >>>> all just doing whatever, or is the nature of the beast, that every setup >>>> is different? >>> Indeed, Kamailio being more like a framework, lot of deployments are >>> different, even when targeting same features. In some cases, dictionary >>> attacks don't apply (e.g., carriers interconnect when traffic is allowed by >>> IP address). >>>> >>>> Eventually while having a beer, we will end up in the discussion Kamailio >>>> is as good (and even much better) as most of the commercially available >>>> SBCs. But, imho, that all depends on the configuration. >>>> >>>> There are a few good reads available, and on the security front I >>>> personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing >>>> rather clever stuff with CNXCC… And I do feel comfortable on my setups, >>>> them won't be hacked… >>>> >>>> But do we have a-sort -of stake in the ground example configuration which >>>> we can consider as being more than sufficiently secure? Some config where >>>> we can tick off all the known security risks for SIP (as chapter 26 of >>>> rfc3261 gives a state of the art back in 2002) Or would that be a nice >>>> idea for a micro project? >>> It would be good to create a page (or group or pages) in kamailio.org/wiki >>> to approach security considerations. Besides the well known situations and >>> solutions for attacks, it happens quite often to see new types of attacks, >>> so adding notes there along with hints on how to solve with Kamailio would >>> be very useful for everybody. >>> >>> Long time ago I made a wiki tutorial on my company site: >>> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack >>> >>> I don't mind being cloned and improved (well, I guess some parts could be >>> trimmed as might not be relevant in general and some need to be updated for >>> latest version). >>> >>> There are many types of attacks not mentioned there, that can be >>> highlighted for everyone to pay attention, e.g.,: >>> - nonce reply (use one time nonce with auth module) >>> - proper handling of route headers to avoid preset route headers in initial >>> invite (is done in the default config file, but pointing at it makes people >>> be more careful and don't miss it when building new configs) >>> >>> Overall, yes, security is a topic very useful, hopefully there are be >>> enough people willing to spend some time and share information. >>> >>> Cheers, >>> Daniel >>> - >>> >>> -- >>> Daniel-Constantin Mierla - http://www.asipto.com >>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda >>> >> >> _______________________________________________ >> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list >> sr-users@lists.sip-router.org >> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > _______________________________________________ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
