Summary:ASTERISK-20722: Preventing Password attacks
Reporter:Ron Wheeler (ronatartifact)Labels:
Date Opened:2012-11-23 21:41:01.000-0600Date Closed:2012-11-24 10:38:00.000-0600
Status:Closed/CompleteComponents:Channels/chan_sip/Security Framework
Versions:10.8.0 Frequency of
Description:When someone tries to attack a SIP account Asterisk helps them out by responding quickly.
When an asterisk systm is attacked by applying random passwords, it would be good to be able to slow the attacker down by specifying a high number oof milliseconds to respond to a wrong password or username.
This would at least slow it down and eventually they would go away.
No one with a valid password would be affected and it should be easy to do.
Comments:By: Michael L. Young (elguero) 2012-11-24 10:37:43.629-0600

The purpose of the security event framework is not to make those kind of decisions.  All it does is report events so that another module or outside module/application can decide whether action is required or not.

Personally, I use a combination of iptables and fail2ban.  I use the recent module (-m recent) in iptables to throttle/limit incoming requests from an ip address.  Then fail2ban determines when to take action and block requests from that ip address based on what Asterisk is logging.

Also, feature requests are no longer submitted to or accepted through the issue tracker. Feature requests are openly discussed on the mailing lists [1] and Asterisk IRC channels and made note of by Bug Marshals.

[1] http://www.asterisk.org/support/mailing-lists

By: Ron Wheeler (ronatartifact) 2012-11-24 16:27:26.121-0600

I had to install fail2ban which was a bit of a PITA but does seem to work.
It would have been lot easier to just set the delay to reasonable delay 5-60 minutes ;-) since no one should ever have a bad password, in my case.
Thanks for your quick response I will make the request through the mailing list.
I did a bit of Googling before I submitted this and the ability to flood asterisk with password probes seems to widely reported as a security deficiency in Asterisk.
Thanks again