[asterisk-users] app_rpt

Steve Totaro stotaro at totarotechnologies.com
Fri Mar 9 15:40:26 CST 2012 

On Fri, Mar 9, 2012 at 4:10 PM, Kevin P. Fleming <kpfleming at digium.com>wrote:

> On 03/09/2012 02:56 PM, Josh Freeman wrote:
>
>> The most current patched Asterisk, along with the most current app_rpt,
>> can be found at
>>
>> http://svn.ohnosec.org/svn/**projects/allstar/astsrc-1.4.**23-pre/trunk/<http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/>
>>
>
> I'm really trying to avoid fanning the flames here, but if that code is
> *really* based on 1.4.23, and hasn't been kept up to date with the Asterisk
> 1.4 releases, then that means it contains a number of security
> vulnerabilities that users should be aware of. Some of them are user
> enumeration vulnerabilities, but others (like AST-2011-010, AST-2011-005,
> AST-2011-001, and maybe more) are more serious.
>
> --
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at www.digium.com & www.asterisk.org
>
>
>
Kevin,

You are not fanning any flames, that is a good point and anyone that
deploys this technology should have to read a disclaimer as
to vulnerabilities.  I am well aware that there have been some serious
security issues in those earlier versions.

As for an Asterisk Box, or probably better described by what It is used
for, a Repeater or Base Station Controller Boxen, I have them locked down
in IPTables and in Asterisk.  There are usually not more then a dozen or so
RoIP conncted repeaters.

In my case, I only open one port for OpenVPN and I define the other
repeaters by host=IP.  As far as "Soft Radios and Autopatch" that function
is taken care of by a "real" Asterisk server that is more of a PBX and
faces the world, not the "Repeater Controller", again, one entry defined by
IP over OpenVPN.  Bridged or routed, they non-routeable IPs.  The RoIP VPN
is only accessible through that tunnel, which is dedicated for that purpose.

I am very mindful of security, especially dealing with DoD, but pretty much
apply the same kind of security on any implementation.

Obviously, these security issues should be patched, but I feel that in my
implementations, things are very secure.

Thanks,
Steve T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20120309/c6510fcd/attachment.htm>

More information about the asterisk-users mailing list