[asterisk-users] aSTERISK / Vicidial systems over 4MB fiber

Mark Adams admin at infinity-marketing.com
Thu Jun 12 10:30:19 CDT 2008 

Yes it all makes sense, I left it all open so sip traffic could pass. My
experience has only been with analog gateways which well no one would wasn't
to break into or do any of these things too. 

Thanks for the sonicwall tip, that was what I was about to buy. 

Mark Adams 

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Lee Howard
Sent: Thursday, June 12, 2008 11:16 AM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] aSTERISK / Vicidial systems over 4MB fiber

Jay R. Ashworth wrote:
> On Thu, Jun 12, 2008 at 08:02:24AM -0500, Tilghman Lesher wrote:
>   
>> One of the most frequent security issues comes not in the form of a
>> software flaw, but simply in people choosing easy-to-guess passwords
>> on the root account. There are two suggestions I have to reduce the
>> risk of this brute force. First, choose a username that is uncommon.
>> In your case, do not use 'root', 'admin', or even 'mark'. 'madams'
>> might be a good choice. Once you figure out that username, configure
>> sshd with the AllowUsers directive to ONLY allow logins from that
>> user.
>>     
>
> Your phrasing, here, Tilghman, suggests that you mean that the
> administrative account should be renamed from root to madams, and I'm
> fairly sure you don't actually mean that.  
>
> You actually mean "create a regular user, and lock the machine down so
> that's the only thing that can be used to log into it, at which point,
> when and 
>
>   
>>                                    If you need root access, install
>> sudo. If an attacker cannot figure out what your username is, then it
>> doesn't matter even if they guess your password, because they aren't
>> getting in.
>>     
>
> ...you can use sudo to get it.

Never, ever, ever, expose sshd to the public internet without 
firewalling.  Only let trusted IPs reach sshd.  The risk of brute force 
success, however small, is still far too great.  Again, do not expose 
sshd to the general public.

And for that matter... it's generally unwise to expose any service to 
the general public when the general public has no business using that 
service.

A little bit of time learning some iptables basics will go a long way here.

Thanks,

Lee.

_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list