A 20 digit numerical password/secret (numerical meaning only 0-9 - obviously), attacked via brute force at 5,000,000 passwords per second, would take more than 600,000+ years to crack. I didn't verify but it looks about right.
Lesson of the day? Sure, more secure passwords aren't THE solution, but they sure help. I'm pretty sure any attempt to brute force a SIP password on an asterisk box at anything approching 5 million passwords per second would have side effects that would bring the attack to your attention (like bringing your sip stack to it's knees perhaps?)
Remember, as nice as fail2ban is, it is vulnerable to denial of service attacks. It is possible (even easy) to use it against the actual intended users of a system - blocking them from accessing their own system via iptables.
With most phones being auto-provisioned, the length of the password shouldn't be a limiting factor. Make your passwords/secrets more complex and we can be done with this conversation. Please.
Andy
Andrew M. Lauppe
Consultant
4051B Executive Park Dr.
Harrisburg, PA 17111
+1 (877) OS-LINUX x23
+1 (484) 421-9919 direct
Posts
No comments:
Post a Comment