[asterisk-users] A new hack?
Hans Witvliet
asterisk at a-domani.nl
Tue Dec 6 04:19:40 CST 2011
On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote:
<snip>
> Your security needs depends on your environment. At this point in time,
> all of the hosts I manage for my clients exist in very limited
> environments and have very small attack surfaces. They are racked in
> secure data centers. They only accept SIP from clients with static IP
> addresses that we have an existing business relationship with. They only
> accept SSH connections from me. They only accept HTTP connections from me
> and my boss. That's about it. I don't see where F2B adds much value for
> me.
>
> *) Lots of admins think they can't limit access to servers because they
> have 'mobile' users. Your users probably don't need to access your servers
> from every single place on the Internet. If your users don't come from
> China, North Korea, Iran, etc, you can block entire regions with a few
> rules and eliminate 80% of probes and attacks from reaching your servers
> in the first place. Apologies in advance if you happen to live in some of
> these regions -- feel free to `s/China, North Korea, Iran/United States,
> Canada, England/g`
>
Perhaps an other suggestion.
If they are "true road warriors", i presume they are capable of setting
up an vpn to the company.
In that case, only allow registrations/calls through the secured
tunnel. Then it's not any concern to asterisk.
And if they can breach your tunnel, you have something else to worry
about.
hw
More information about the asterisk-users
mailing list