Hello,
On 17/12/13 17:27, davy wrote:
Hi all,
we all enjoy our FAIL2BAN and snippets of our Kamailio config when we see it successfully
fight off the "friendly-scanner", and multiple futile attempts to fool our
systems. But it got me thinking…
What is a sufficient level of security on our Kamailio machinery… ? Are we all
just doing whatever, or is the nature of the beast, that every setup is
different?
Indeed, Kamailio being more like a framework, lot of deployments are different,
even when targeting same features. In some cases, dictionary attacks don't
apply (e.g., carriers interconnect when traffic is allowed by IP address).
Eventually while having a beer, we will end up in the discussion Kamailio is as
good (and even much better) as most of the commercially available SBCs. But,
imho, that all depends on the configuration.
There are a few good reads available, and on the security front I personally
love Pike, Topoh, Dnssec, Htable and recently I think I'm doing rather clever
stuff with CNXCC… And I do feel comfortable on my setups, them won't be hacked…
But do we have a-sort -of stake in the ground example configuration which we
can consider as being more than sufficiently secure? Some config where we can
tick off all the known security risks for SIP (as chapter 26 of rfc3261 gives a
state of the art back in 2002) Or would that be a nice idea for a micro project?
It would be good to create a page (or group or pages) in kamailio.org/wiki to
approach security considerations. Besides the well known situations and
solutions for attacks, it happens quite often to see new types of attacks, so
adding notes there along with hints on how to solve with Kamailio would be very
useful for everybody.
Long time ago I made a wiki tutorial on my company site:
- http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack
I don't mind being cloned and improved (well, I guess some parts could be
trimmed as might not be relevant in general and some need to be updated for
latest version).
There are many types of attacks not mentioned there, that can be highlighted
for everyone to pay attention, e.g.,:
- nonce reply (use one time nonce with auth module)
- proper handling of route headers to avoid preset route headers in initial
invite (is done in the default config file, but pointing at it makes people be
more careful and don't miss it when building new configs)
Overall, yes, security is a topic very useful, hopefully there are be enough
people willing to spend some time and share information.
Cheers,
Daniel
-
--
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
