No subject


Thu Jan 15 22:29:28 CST 2009


There was some conversation in the asterisk-dev channel saying this option
is set to "no" by default because it helps newbies figure out what they did
wrong.  That reasoning is for lack of a better word retarded.  Don't
compromise security because some newbie cant figure out if his username or
password is wrong.  Let them disable it if they really want to.  Security
is far more important!!!

Also, this should probably be a separate bug/enhancement but asterisk
should maybe implement brute force detection and block or throttle
incoming/failed log-in attempts.  This would slow a brute force utility
down.  Many programs do this, they wait a few seconds to give a failed
response so that a attacker now can only submit say 15 user/pass
combinations in 60 seconds rather than 300.  

Just a IDEA.
====================================================================== 

---------------------------------------------------------------------- 
 (0100260) blitzrage (administrator) - 2009-02-17 12:14
 http://bugs.digium.com/view.php?id=14493#c100260 
---------------------------------------------------------------------- 
This is really something that is more appropriate for the #asterisk-dev
mailing list as this is a question that will cause a discussion, and the
bug tracker is not the location for discussions.

Thanks! 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-02-17 12:14 blitzrage      Note Added: 0100260                          
2009-02-17 12:14 blitzrage      Status                   new => closed       
======================================================================




More information about the asterisk-bugs mailing list