No subject


Thu Jan 15 22:29:28 CST 2009


There was some conversation in the asterisk-dev channel saying this option
is set to "no" by default because it helps newbies figure out what they did
wrong.  That reasoning is for lack of a better word retarded.  Don't
compromise security because some newbie cant figure out if his username or
password is wrong.  Let them disable it if they really want to.  Security
is far more important!!!

Also, this should probably be a separate bug/enhancement but asterisk
should maybe implement brute force detection and block or throttle
incoming/failed log-in attempts.  This would slow a brute force utility
down.  Many programs do this, they wait a few seconds to give a failed
response so that a attacker now can only submit say 15 user/pass
combinations in 60 seconds rather than 300.  

Just a IDEA.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-17 11:52 shaunreitan    New Issue                                    
2009-02-17 11:52 shaunreitan    Asterisk Version          => 1.6.0           
2009-02-17 11:52 shaunreitan    Regression                => No              
2009-02-17 11:52 shaunreitan    SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================




More information about the asterisk-bugs mailing list