[asterisk-users] Binding to 0.0.0.0 a security risk?
Daniel Pocock
daniel at pocock.com.au
Tue Feb 7 18:51:23 CST 2012
On 07/02/12 05:29, Gordon Messmer wrote:
> On 02/06/2012 03:27 PM, Josh wrote:
>>> Why do you see binding to 0.0.0.0 to be a security risk?
>> Purely because a response from Asterisk can be received as a result of a
>> connection on *any* interface on the system/machine. If I have Asterisk
>> confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1)
>> then a request over a third/subsequent interface cannot be served - it
>> is not normally possible.
>>
>> When Asterisk binds to 0.0.0.0 that is not the case and request over a
>> third/subsequent interface *can* be served by Asterisk (provided the
>> routing is setup properly, that is).
>
> All of that is true, but none of it appears to be a security concern,
> specifically.
If you are connecting to the public internet, then it is much more
important to think about
a) do you really expose your Asterisk directly, or hide it behind a SIP
router such as Kamailio?
b) should you be using TLS (which is connection oriented and secured
with certificates) rather than UDP? Everyone who connects with a cert
has been screened in some way by a CA.
c) if using TLS (or even just TCP), why not have the extra security of a
port-forwarding from a firewall to the Asterisk TLS port? Then no other
ports or addresses on the Asterisk box are exposed.
More information about the asterisk-users
mailing list