[asterisk-biz] PBX got Hacked
Peter Beckman
beckman at angryox.com
Tue Mar 10 15:29:10 CDT 2009
Wow, my email got a bit ranty. Fun.
On Tue, 10 Mar 2009, SIP wrote:
> Any software developer either knows or SHOULD know about software
> security. If he doesn't, he's deluding himself into thinking he's an
> actual software developer and not a second-rate code monkey. Software
> security is everything from verifying (and cleaning) user inputs to
> ensure nothing snaps to, in the case of a networked piece of software,
> ensuring that the networked code is not abused.
The problem is NOT the Asterisk code, it is the configuration. When
telephony admins set a username of 100 and a password of 100 or 1234 and
never change it, there IS NOTHING Digium/Asterisk can do other than throw
a warning to Console that says "You are an idiot change the password."
And that probably wouldn't happen.
Asterisk is NOT responsible for securing a server. Firewalls that block
everything BUT what is necessary is NOT the responsibility of Asterisk,
but the OS and the server admin. Asterisk already does a decent job of
only allowing access to itself based on the config given. If the config
is bad, how can Asterisk be at fault? I don't see it as Asterisk's job to
point out the flaws in your config. Nice? Sure, but not some sort of
moral responsibility to do so. There are consultants who you can pay to
do so. The system admin is almost always at fault for the kind of
problems this thread has discussed, not buffer overflows.
> Why not build in something stronger if it CAN be done?
Security can be implemented on the OS level and via plugins that already
exist for Asterisk. I'd rather have the Digium developers work on
features and bug fixes and actual security risks (buffer overflows, etc)
than trying to warn people they are stupid or recreate the wheel (i.e.
Asterisk has its own firewall is silly). It's already strong enough -- if
you need it to be stronger, there are firewalls and ACLs built into most
modern operating systems, and there are security related plugins for
Asterisk to prevent brute forcing.
Re: Microsoft -- I meant Windows, and that's an unfair comparison (OS vs
Software). I really should have said something like BitTorrent has only
it's own code to be worried about, they do not have an obligation to
protect you from the RIAA nodes or rogue nodes that send you viruses when
you thought you were downloading Crysis, nor can they anticipate what
someone might try to do to you, because they cannot control who you
connect to.
At the end of the day, if you are going to run Asterisk, and you don't
know how to secure your box from being used to run up thousands of dollars
in connection fees, then you get an expensive lesson and maybe get fired.
While I might agree that it would be handy to have a brute force blocking
built into Asterisk, the market has already produced such a piece of
software -- go install it and stop pointing a finger that Asterisk or
Digium is to fault for your misconfiguration of their software which
caused you a financial loss.
At the end of the day, either one knows what one is doing and can prevent
brute force hacks on one's bad configuration, or one can't, and one will
learn a lesson. They might get angry and point fingers, but it happened,
and since one could have prevented it, it's ones own darn fault.
Beckman, who really liked the challenge of removing YOU and replacing ONE
in the last sentence, and is still worried about misuse of possessives.
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
More information about the asterisk-biz
mailing list