Monday, May 31, 2010

Asterisk and SIP security tips

Interesting posting on the Digium blog (i know its old), but it covers some important points, and even has a video showing what SIP users are up against from the dark side.

An important one that many of my associates may not have seen is the alwaysauthreject=yes, this gives hackers the same result if they try hitting an invalid extension, or a valid one, where as normally it would say "you have entered an invalid extension", or "you have entered an invalid password for this extension" - allowing a hacker to "harvest" your extensions and focus on them with further attacks.

I notice they also mention fail2ban which Smpl-PBX has also been using for quite some time, however unlike some of the "other distros" ours is actually secure with no backdoor holes in the fail2ban config. Besides this it is extremely important to keep up with Asterisk (or whatever your SIP server may be) security patches, which is why we do a regular audit of our systems.

Its interesting when a new customer says "I dont know, its just been running in the closet there for the last couple of years, then it all of a sudden stopped taking calls, and our PBX tech changed his phone number".

Posted by at No comments:
Labels: ,

Sunday, May 23, 2010

securely post your email in online forums

I sometimes see people posting their email address in online forums, those people may as well kiss their inbox  goodbye as every spam bot on earth will grab it within hours.

If you find you do need to post your address to a forum, who else, but Google is now offering mail "Captcha" service - this forces people to answer a complex question to actually see your email, and you simple post a link to your captcha page in the forums.

http://www.google.com/recaptcha/mailhide/

Posted by at No comments:
Labels: ,

Saturday, May 1, 2010

Cinco De Mayo - the 5th may be a bad day in internet history

Well it looks like the new DNS security protocol is being implemented on all 13 Root DNS servers (control the whole internet for the entire earth) on May 5th. This should prevent DNS hacker attempts.

Unfortunately it also breaks the compatibility with many networking devices around the world, most devices have a limit of 512 bytes for DNS packets, but the new DNSSEC protocol could often times generate 4 times that.

This means that some devices may not pass name info to tell your computer where Facebook is located.

All 13 root servers will be updated at 10AM PST MAY 5th.

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)