|Summary:||ASTERISK-13596: alwaysauthreject option in sip.conf should default to yes|
|Reporter:||Shaun Reitan (shaunreitan)||Labels:|
|Date Opened:||2009-02-17 11:52:29.000-0600||Date Closed:||2011-06-07 14:02:38|
|Description:||The option alwaysauthreject in the sip.conf should ALWAYS default to yes unless otherwise set to no. SIP brute forcing is popping up more and more these days and telling the hacker that he found the right username but has the wrong password is not the greatest idea. Why give them one piece of the puzzle!|
From a security point of view this option should be enabled by default. There was some conversation in the asterisk-dev channel saying this option is set to "no" by default because it helps newbies figure out what they did wrong. That reasoning is for lack of a better word retarded. Don't compromise security because some newbie cant figure out if his username or password is wrong. Let them disable it if they really want to. Security is far more important!!!
Also, this should probably be a separate bug/enhancement but asterisk should maybe implement brute force detection and block or throttle incoming/failed log-in attempts. This would slow a brute force utility down. Many programs do this, they wait a few seconds to give a failed response so that a attacker now can only submit say 15 user/pass combinations in 60 seconds rather than 300.
Just a IDEA.
|Comments:||By: Leif Madsen (lmadsen) 2009-02-17 12:14:16.000-0600|
This is really something that is more appropriate for the #asterisk-dev mailing list as this is a question that will cause a discussion, and the bug tracker is not the location for discussions.