No subject
Thu Jan 15 22:29:28 CST 2009
There was some conversation in the asterisk-dev channel saying this option
is set to "no" by default because it helps newbies figure out what they did
wrong. That reasoning is for lack of a better word retarded. Don't
compromise security because some newbie cant figure out if his username or
password is wrong. Let them disable it if they really want to. Security
is far more important!!!
Also, this should probably be a separate bug/enhancement but asterisk
should maybe implement brute force detection and block or throttle
incoming/failed log-in attempts. This would slow a brute force utility
down. Many programs do this, they wait a few seconds to give a failed
response so that a attacker now can only submit say 15 user/pass
combinations in 60 seconds rather than 300.
Just a IDEA.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2009-02-17 11:52 shaunreitan New Issue
2009-02-17 11:52 shaunreitan Asterisk Version => 1.6.0
2009-02-17 11:52 shaunreitan Regression => No
2009-02-17 11:52 shaunreitan SVN Branch (only for SVN checkouts, not tarball
releases) => N/A
======================================================================
More information about the asterisk-bugs
mailing list