[asterisk-biz] PBX got Hacked

Peter Beckman beckman at angryox.com
Tue Mar 10 15:29:10 CDT 2009


Wow, my email got a bit ranty.  Fun.

On Tue, 10 Mar 2009, SIP wrote:

> Any software developer either knows or SHOULD know about software
> security. If he doesn't, he's deluding himself into thinking he's an
> actual software developer and not a second-rate code monkey. Software
> security is everything from verifying (and cleaning) user inputs to
> ensure nothing snaps to, in the case of a networked piece of software,
> ensuring that the networked code is not abused.

  The problem is NOT the Asterisk code, it is the configuration.  When
  telephony admins set a username of 100 and a password of 100 or 1234 and
  never change it, there IS NOTHING Digium/Asterisk can do other than throw
  a warning to Console that says "You are an idiot change the password."
  And that probably wouldn't happen.

  Asterisk is NOT responsible for securing a server.  Firewalls that block
  everything BUT what is necessary is NOT the responsibility of Asterisk,
  but the OS and the server admin.  Asterisk already does a decent job of
  only allowing access to itself based on the config given.  If the config
  is bad, how can Asterisk be at fault?  I don't see it as Asterisk's job to
  point out the flaws in your config.  Nice?  Sure, but not some sort of
  moral responsibility to do so.  There are consultants who you can pay to
  do so.  The system admin is almost always at fault for the kind of
  problems this thread has discussed, not buffer overflows.

> Why not build in something stronger if it CAN be done?

  Security can be implemented on the OS level and via plugins that already
  exist for Asterisk.  I'd rather have the Digium developers work on
  features and bug fixes and actual security risks (buffer overflows, etc)
  than trying to warn people they are stupid or recreate the wheel (i.e.
  Asterisk has its own firewall is silly).  It's already strong enough -- if
  you need it to be stronger, there are firewalls and ACLs built into most
  modern operating systems, and there are security related plugins for
  Asterisk to prevent brute forcing.

  Re: Microsoft -- I meant Windows, and that's an unfair comparison (OS vs
  Software).  I really should have said something like BitTorrent has only
  it's own code to be worried about, they do not have an obligation to
  protect you from the RIAA nodes or rogue nodes that send you viruses when
  you thought you were downloading Crysis, nor can they anticipate what
  someone might try to do to you, because they cannot control who you
  connect to.

  At the end of the day, if you are going to run Asterisk, and you don't
  know how to secure your box from being used to run up thousands of dollars
  in connection fees, then you get an expensive lesson and maybe get fired.

  While I might agree that it would be handy to have a brute force blocking
  built into Asterisk, the market has already produced such a piece of
  software -- go install it and stop pointing a finger that Asterisk or
  Digium is to fault for your misconfiguration of their software which
  caused you a financial loss.


  At the end of the day, either one knows what one is doing and can prevent
  brute force hacks on one's bad configuration, or one can't, and one will
  learn a lesson.  They might get angry and point fingers, but it happened,
  and since one could have prevented it, it's ones own darn fault.

Beckman, who really liked the challenge of removing YOU and replacing ONE
in the last sentence, and is still worried about misuse of possessives.
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------



More information about the asterisk-biz mailing list