On 7 October 2010 10:10, Stefan Schmidt <[email protected]> wrote: > Am 07.10.10 10:52, schrieb Steve Davies: >> Hi, >> > <snipped> > > Hello, > > i just want to say something about point 4 which comes to my mind about > security. > >> >> 4) I am not sure whether it is worth dropping through and testing auth >> against other peers if there is no username match. Can auth ever >> succeed under those circumstances (password matches, but not >> username?) > > If you use UDP its very easy to fake the source ip of a call so do you > really want to open a door to an attacker by authenticate only by ip and > passwort which can match to any peer with the same ip adress? To > bruteforce this would be much easier than to bruteforce against sending > IP, right username and right password.
I was not clear. By option 4) I intended that you test the password against other peers with a matching IP address. I am not sure whether the username is included in the SIP password hash, so do not know whether there is even any point in doing so. As far as I can tell, in the EXISTING sip stack, digest username is not used to determine which peer to authenticate with, it just uses the first peer with a matching IP. > Have you tried to use different ports to register? i think this could help. AFAIK, Asterisk will only operate on one port, and the remote end is a major ITSP who will not be wanting to listen to me making odd requests :) Thanks for the feedback! Regards, Steve -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
