On Fri, Feb 5, 2010 at 9:45 AM, David Birnbaum <davidb@pins.net> wrote:
We have noticed a lot of issues with Asterisk 1.2 and some 1.4 rollouts. FreePBX had some truck-sized holes in it.
Most/all of the big issues that existed in previous version of Asterisk/FreePBX have been resolved in later releases. The majority of the "stolen SIP" cases I've heard of have come down to brute forcing of often very insecure passwords - quite often stupid insecure passwords like the same as the username. And of course the username itself is normally the extension, which makes is relatively easy to guess (if "100" doesn't exist, then "200" or "1000" probably does, etc). Then there's the issue of unencrypted/unsecured phone provisioning files, complete with SIP usernames/passwords, hosted on internet webservers - often with the only security being your ability to guess the MAC address...
On our relatively small client base, we are seing SIP probing on more or less a non-stop basis, and some of our customers have been hacked over the
Presuming you're running Asterisk, fail2ban can help. The only real issue I've had with it is that many softphones will repeated try to register if you get the password wrong, so a user entering their username/password even only once will get them blocked for X minutes. Scott