May 2025
Intermediate to advanced
414 pages
5h 2m
Chinese
Content preview from 《Asterisk:权威指南》第 5 版Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
第 22 章 安全 安全
本作品已使用人工智能进行翻译。欢迎您提供反馈和意见:translation-feedback@oreilly.com
我们把时间花在寻找安全感上,而当我们得到安全感时却又痛恨它。
约翰-斯坦贝克
Asterisk 系统的安全至关重要,尤其是当系统暴露在互联网上时。攻击者利用系统拨打免费电话可赚大钱。本章将就如何加强 VoIP 部署的安全性提供建议。
扫描有效账户
如果你将 你的Asterisk系统暴露在公共互联网上,你几乎肯定会看到的一件事就是扫描有效账户。例 22-1包含了作者的一个Asterisk生产系统的日志条目。1这次扫描从检查各种常见的用户名开始,随后扫描编号账户。人们通常会将 SIP 账户命名为与 PBX 上的分机相同的名称。这次扫描就是利用了这一点。
提示
为 VoIP 账户使用 非数字 用户名,使其更难被猜中。例如,在本书中,我们使用 SIP 电话的 MAC 地址作为其在 Asterisk 中的账户名。
例 22-1. 账户扫描日志摘录
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from '"123"<sip:123@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found [Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from '"1234"<sip:1234@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found [Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from '"12345"<sip:12345@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found ... [Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from '"100"<sip:100@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found [Aug 22 15:17:17] NOTICE[25690] chan_sip.c: Registration from '"101"<sip:101@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer found
任何系统的日志都会记录大量入侵尝试。这就是系统与互联网连接的本质。在本章中,我们将讨论一些配置系统的方法,以便系统拥有强大的机制来处理这些问题。
验证弱点
本章第一节 讨论了扫描用户名的问题。即使用户名很难被猜中,密码也必须很强。如果攻击者能够获得一个有效的用户名,他们很可能会试图暴力破解密码。强大的密码会大大增加这种难度。
SIP 协议的默认验证方案很弱。验证是通过 MD5 挑战-响应机制 完成的。如果攻击者能够捕捉到任何呼叫流量,例如从开放无线网络上的笔记本电脑发出的 SIP 呼叫,那么暴力破解密码的工作就会容易得多,因为它不需要向服务器发出验证请求。
提示
使用强密码 。互联网上有数不胜数的 资源,可帮助确定什么是强密码。此外,还有许多强密码生成器。请使用它们! ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.