[Asterisk-bsd] Asterisk Security Questions
Aristedes Maniatis
ari at ish.com.au
Fri Oct 10 21:31:04 CDT 2008
On 05/10/2008, at 10:13 AM, Frank Griffith wrote:
> 1. How do they seem to zero in on the one valid user account that is
> present on my server?
Could it be that Asterisk returns a different error code for 'account
not found' to 'password invalid'. If so, you should raise a bug report
with the main Asterisk development. The login process should not leak
this information to the outside world.
> 2. Is asterisk really that insecure?
>
> 3. My asterisk server is behind my firewall and I do port forwarding
> to allow access from outside users, like me from my office. I guess
> I'm going to have to lock down the asterisk ports only from certain
> IP addresses but that will limit my use when I'm traveling.
Or else, set up a VPN tunnel in your firewall so that you can use that
when travelling. Then if you implement RSA keys for your VPN
authentication you are not dependent on a shared key for security.
Ari Maniatis
-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A
More information about the Asterisk-BSD
mailing list