On 08/03/11 09:49, Venefax wrote:
I tried te route of using iptables and at top production time, it eats
5% of my server, brining it to 95+ CPU usage. Clearly, not an option.
I need a patch for chan_sip that when
alwaysauthreject=yes
does not respond to any REGISTER packet if the username does not exists.
I hope that Digium would include this otr similar option in the source
code. Alternatively, a new option can be created in sip.conf. I am
offering no money for this patch. I think all the community needs this
to survive the attack of the evil men from shadowlands.
Another nice patch that I already wrote partially, is for
cdr_addons_mysql, but it should be included in all cdr-collecting
technologies. I just do not save to the database any call that is not
connected. This is NOT the same as setting the option at the cdr.conf
level. Each cdr technology needs this option as well. I need to save all
calls to my cdr_odbc, for ASR calculations, but it is useless to store
un-connected calls to mysql, because I use it only as a backup cdr, in
case my external SQL Server blows up or has a problem, which happens often.
What I did was to hard code this option in the source code, but not
including any checkin for a cdr_sql.conf, since I am not a C programmer.
With your option turned on, evil ones will again be able to enumerate
valid usernames.
To keep them guessing, you give them the same answer if the user name
does not exist or if they gave you a bad password. But with your option
turned on, they will know if they have a valid user name or not.
Lyle Giese
LCR Computer Services, Inc.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
