[asterisk-biz] PBX got Hacked

[Michael Smith]

That still will not fix the problem, if the person installing asterisk does
not add it on. And like it or not, it doesn't matter if it's user error or
not, it will make the press and taint the Asterisk/Opensource name. I would
have it as a default install, and let people that know how to,
deactivate/modify it. kind of like apache does it disallow all then allow
specific actions. Security is the one thing I would not skimp on.


--Mike

On Tue, Mar 10, 2009 at 11:10 AM, Mike <list at virtutel.ca> wrote:

> >
> > > I guess there should be some configurable options in Asterisk to cover
> > > for that. Like 10 consecutive failed login attempts should invoke
> > > asterisk to reply a login denied to that IP address and another option
> > > that would allow for let's say 5 attempts in 5 minutes and then block
> > > the extension for login.
>
>
> > 1. Should this even be Asterisk's responsibility, when it can already be
> > implemented w/ external tools that are much better suited to the task,
> are
> > already well supported and work really well:
>
> Should it? Not in an ideal world; as you suggest, external tools may be
> better for this task and it might keep * decluttered of tangential
> features.
> But not having this feature is just asking to be talked about, and in this
> case bad publicity (as in "my VoIP company using Asterisk got hacked out of
> 250,000$" would not be good publicity IMO.
>
> If anything, something in Asterisk-addons would be good enough.
>
> Mike
>
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-biz mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-biz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/d37e1819/attachment.htm