[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Michiel van Baak michiel at vanbaak.info
Sun Mar 29 17:44:25 CDT 2009 

On 14:31, Sun 29 Mar 09, Steve Edwards wrote:
> On Sun, 29 Mar 2009, Joseph Benden wrote:
> 
> > I also don't think that we can accept the blame for system admins who
> > have not properly learned who to take care of their machines. If they
> > are broken into because they left Rsh exposed; is it really our fault?
> > If they leave SIP wide open with no password and default context can
> > place international calls; is it our fault?
> 
> I disagree here.
> 
> If some of the recent posts to this list are any indication, Asterisk is 
> being deployed by people who have no effing clue.

Did you even look at the default set of configs Digium ships with
asterisk ?
The only thing it allows is IAX2 connections to a demo server at digium.
No way to setup calls using your landline or ITSP.

No sip/iax peers/users with passwords or whatever. Only the stuff needed
to get the demo working.

I also dont see any documentation in the released versions nor the svn
repo that tells an admin to put all their stuff in [default]

You just cant do anything for the admin that goes to google, searches
for something, and copy/pastes some config from another admin without a
clue.
Is it really our job to protect against that ?

Is it our task to protect the user for windows without a virus scanner ?
Is it our task to protect the user for their mother unplugging the
powercord because they need the outlet to vacuum the room ?


> 
> While, distributing default open and vulnerable configurations *may* not 
> carry any legal responsibility, I feel an ethical responsibility not to 
> hand out the pointy scissors to children.

Like I said in the previous paragraphs, the default configs shipped with
asterisk are secure. They dont allow outsiders to use your POTS line nor
your ITSP registrations.


-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"

More information about the asterisk-dev mailing list