I started the pages, to be found : http://www.kamailio.org/wiki/tutorials/security/security-threats http://www.kamailio.org/wiki/tutorials/security/kamailio-security
They are a long from being complete, but it's a start, feel free to modify/correct/add content! 2013-12-18 davy <davy.van.de.mo...@gmail.com> > ACK > > :) > > Op 18-dec.-2013, om 15:30 heeft Daniel-Constantin Mierla < > mico...@gmail.com> het volgende geschreven: > > > Hello, > > > > On 18/12/13 10:53, davy wrote: > >> Cool, I'll spend some time this weekend to have a first stake in the > ground on the wiki ! > > > > great! Just use namespaces when creating new pages, to have a good > structure of the wiki. It can be something under tutorials, such as: > > > > tutorials:security:TITLE > > > > where TITLE can be what you consider more appropriate, such as > 'how-to', 'remarks' or what so ever... > > > > Cheers, > > Daniel > >> > >> It's better to have our security measures being checked by peers than > by hackers ;) > >> > >> > >> > >> Op 18-dec.-2013, om 09:33 heeft Daniel-Constantin Mierla < > mico...@gmail.com> het volgende geschreven: > >> > >>> Hello, > >>> > >>> On 17/12/13 17:27, davy wrote: > >>>> Hi all, > >>>> > >>>> we all enjoy our FAIL2BAN and snippets of our Kamailio config when we > see it successfully fight off the "friendly-scanner", and multiple futile > attempts to fool our systems. But it got me thinking... > >>>> > >>>> What is a sufficient level of security on our Kamailio machinery... ? > Are we all just doing whatever, or is the nature of the beast, that every > setup is different? > >>> Indeed, Kamailio being more like a framework, lot of deployments are > different, even when targeting same features. In some cases, dictionary > attacks don't apply (e.g., carriers interconnect when traffic is allowed by > IP address). > >>>> Eventually while having a beer, we will end up in the discussion > Kamailio is as good (and even much better) as most of the commercially > available SBCs. But, imho, that all depends on the configuration. > >>>> > >>>> There are a few good reads available, and on the security front I > personally love Pike, Topoh, Dnssec, Htable and recently I think I'm doing > rather clever stuff with CNXCC... And I do feel comfortable on my setups, > them won't be hacked... > >>>> > >>>> But do we have a-sort -of stake in the ground example configuration > which we can consider as being more than sufficiently secure? Some config > where we can tick off all the known security risks for SIP (as chapter 26 > of rfc3261 gives a state of the art back in 2002) Or would that be a nice > idea for a micro project? > >>> It would be good to create a page (or group or pages) in > kamailio.org/wiki to approach security considerations. Besides the well > known situations and solutions for attacks, it happens quite often to see > new types of attacks, so adding notes there along with hints on how to > solve with Kamailio would be very useful for everybody. > >>> > >>> Long time ago I made a wiki tutorial on my company site: > >>> - http://kb.asipto.com/kamailio:usage:k31-sip-scanning-attack > >>> > >>> I don't mind being cloned and improved (well, I guess some parts could > be trimmed as might not be relevant in general and some need to be updated > for latest version). > >>> > >>> There are many types of attacks not mentioned there, that can be > highlighted for everyone to pay attention, e.g.,: > >>> - nonce reply (use one time nonce with auth module) > >>> - proper handling of route headers to avoid preset route headers in > initial invite (is done in the default config file, but pointing at it > makes people be more careful and don't miss it when building new configs) > >>> > >>> Overall, yes, security is a topic very useful, hopefully there are be > enough people willing to spend some time and share information. > >>> > >>> Cheers, > >>> Daniel > >>> - > >>> > >>> -- > >>> Daniel-Constantin Mierla - http://www.asipto.com > >>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > >>> > > > > -- > > Daniel-Constantin Mierla - http://www.asipto.com > > http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda > > > >
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
