[App_rpt-users] Bogus SIP registrations

KB0KZR kb0kzr at matthouse.com
Sun Jun 23 18:07:50 EDT 2013


I'm familiar with WHOIS, and I could have changed the port, or even used
iptables to firewall the port.  Or since there are no valid SIP peers on
this setup, I could just not care, and probably nothing bad would happen.

Then again, Asterisk runs as root, and its possible there are security
flaws.  The point was, others might have the same issue, and not know it. 
I raise the concern for the good of the network as a whole.  If you're not
using SIP, you might consider adding noload=chan_sip.so to modules.conf. 
I am also suggesting this be part of the standard portal-based and/or
stock ACID configuration.

Security by obscurity works as long as what you're securing against isn't
bothering to port-scan, and is just trying well-known ports, but that
isn't going to defend you against the Chinese government.  Take SSH --
change it to port 222, and nearly all of the password attacks go away, but
that doesn't mean you shouldn't also use strong passwords, and maybe
consider disabling root logins entirely (create a separate user-account,
log in as that user, and then su to root).

-Matt-



> Change your SIP port to something completely weird and non-standard
> (from 5060). You'll likely never hear from whoever it is again.
>
> Sometimes "security by obscurity" really *does* effectively function.
>
> Jim
>
>> Date: Sun, 23 Jun 2013 13:57:40 -0600
>> From: kb0kzr at matthouse.com
>> To: app_rpt-users at ohnosec.org
>> Subject: [App_rpt-users] Bogus SIP registrations
>>
>> All--
>>
>> While diagnosing another problem (which I will post about in a little
>> bit
>> if I can't get it figured out, but I wanted to keep separate threads
>> separate) -- suddenly somebody started sending me a ton of bogus SIP
>> registrations.  The source-IP is 210.73.202.76 for whatever that may be
>> worth.  I thought about firewalling it, but I don't think SIP is
>> required
>> at all for app_rpt to work?  So I disabled chan_sip entirely in
>> modules.conf.
>>
>> Just throwing it out there as something to consider for other app_rpt
>> nodes...  I don't know of any security flaws in chan_sip, but I figured
>> since it isn't being used there's no reason to run it.
>>
>> -Matt-
>>
>> _______________________________________________
>> App_rpt-users mailing list
>> App_rpt-users at ohnosec.org
>> http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
>





More information about the App_rpt-users mailing list