> for that. Like 10 consecutive failed login attempts should invoke
> asterisk to reply a login denied to that IP address and another option
> that would allow for let's say 5 attempts in 5 minutes and then block
> the extension for login.
>
> Make the login attempts number and blocking time configurable,
> settable system wide with an option to override per extension would
> close the hole.
This is one of the things that we discussed at Astridevcon in 2008, and
several questions came up;
1. Should this even be Asterisk's responsibility, when it can already be
implemented w/ external tools that are much better suited to the task, are
already well supported and work really well:
http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
2. What are the implementations of having a blocking scheme like this when
you have 100 phones behind NAT? (The simple answer to this is to allow
whitelisting of known address blocks)
3. It would be very difficult to develop a security model that works for ALL
channel drivers. It is easier to think about using a method that works for
chan_sip, but a more detailed framework is necessary for all other channel
drivers.
I believe that John Todd and Olle have some pretty detailed presentations
regarding the discussion that was done:
http://astridevcon.pbwiki.com/Network+Security+Framework.2008-09-28-23-35-38
http://edvina.net/asterisk/asa-intro.pdf
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
No comments:
Post a Comment