No subject
Thu Jan 15 22:29:28 CST 2009
There was some conversation in the asterisk-dev channel saying this option
is set to "no" by default because it helps newbies figure out what they did
wrong. That reasoning is for lack of a better word retarded. Don't
compromise security because some newbie cant figure out if his username or
password is wrong. Let them disable it if they really want to. Security
is far more important!!!
Also, this should probably be a separate bug/enhancement but asterisk
should maybe implement brute force detection and block or throttle
incoming/failed log-in attempts. This would slow a brute force utility
down. Many programs do this, they wait a few seconds to give a failed
response so that a attacker now can only submit say 15 user/pass
combinations in 60 seconds rather than 300.
Just a IDEA.
======================================================================
----------------------------------------------------------------------
(0100260) blitzrage (administrator) - 2009-02-17 12:14
http://bugs.digium.com/view.php?id=14493#c100260
----------------------------------------------------------------------
This is really something that is more appropriate for the #asterisk-dev
mailing list as this is a question that will cause a discussion, and the
bug tracker is not the location for discussions.
Thanks!
Issue History
Date Modified Username Field Change
======================================================================
2009-02-17 12:14 blitzrage Note Added: 0100260
2009-02-17 12:14 blitzrage Status new => closed
======================================================================
More information about the asterisk-bugs
mailing list