[asterisk-users] Securing Asterisk

Paul Belanger pabelanger at digium.com
Tue Jul 26 15:31:35 CDT 2011


On 11-07-26 02:33 PM, Bruce B wrote:
> I would have to err on the side of CDR to say that the only difference in
> analogy you provided (SSH vs Asterisk) is that people lose much more
> $$$$$$$$ in VoIP than they ever did in SSH hacking. So, if this is an
> exceptional case bending a rule or two of RFC in favor of security won't
> harm specially if it's provided as an option. After-all, RFC does stand for
> Referral For Comment as in always open to be improved. Secondly, there is no
> trade off with the responses as local and private IP networks are well know
> from the public range so the option for such a security measure can be tuned
> to be smart to that end.
>
> The only thing I like about MS OSs is that it's secure out of box and that
> is really what a Linux OS should be as well but it's not and so it's not
> solely Digium's issue and I see your point giving the analogy.
>
> I think it's a good idea if such a security "option" is provided by default
> in Asterisk knowing it can save a lot of headache. If budget is an issue
> maybe make it a bounty and watch support pouring in...........
>
ProTip: Nothing is 'secure out of box' and believe this marketing 
tag-line only provides a false sense of security.

Even if the community does as you ask, it would not guarantee security. 
  Good security required upkeep and maintenance.

As an example, what version of Asterisk are you running on your 
production sites?

-- 
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org



More information about the asterisk-users mailing list