<br><br><div class="gmail_quote">On Thu, Feb 16, 2012 at 12:30 PM, Kevin P. Fleming <span dir="ltr"><<a href="mailto:kpfleming@digium.com">kpfleming@digium.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 02/11/2012 06:59 PM, Bruce B wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If your server is open to the internet and in SIP general section you<br>
have nat=no and in peers you have nat=yes or vice versa then it's<br>
possible to enumerate your extension. Because Asterisk responds with<br>
different messages if the extension exists or not based on that<br>
difference in the nat setting then it's possible to tell if an extension<br>
100 exists or not. Over the past few years, Digium has come to<br>
realization to respond to all unauthenticated calls the same way in<br>
order to thwart any attack attempts or guesses on the extension but it's<br>
still not perfect yet as these improvements are done at a really slow<br>
pace. Regardless, they are being made and there truely is a security risk.<br>
</blockquote>
<br></div>
"really slow pace"? Please point out any one of these issues that took an unnecessarily long time to resolve once it was identified and brought to the development team's attention.<div class="im"><br></div>
</blockquote><div>Was referring to general state and mindset of logging and standardizing it for security tools. I was not referring to any Jira issues particularly though sometimes it takes a lot to convince the dev team something is a bug or missing. Security should be taken more importantly and I don't feel it is. A good example is that of "core set verbose 0" effecting all the logging and rendering all security tools useless. There is another thread going on about this right now...</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I always use nat=yes. I don't even know why nat=no exists as there is<br>
nothing that can't be done with nat=yes. Plus nat=yes will take care of<br>
some of the surprise one-way audio scenarios as well so why use nat=no<br>
at all?! I vote to totally get rid of the nat setting all together and<br>
hard code it and set it to yes but again there are others who may not agree.<br>
</blockquote>
<br></div>
As was already pointed out in the discussions that lead up to the 'nat' default being changed, there are SIP endpoints out there that do not work properly with 'nat=yes' (or 'nat=force_rport'). They behave improperly when Asterisk adds an 'rport' parameter to the top-level Via header in its responses. Setting 'nat=no' is the only way to keep this from happening.</blockquote>
<div><br></div><div>I agree. Wish they followed a standard to make everyone's life easier.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="HOEnZb"><font color="#888888"><br>
<br>
-- <br>
Kevin P. Fleming<br>
Digium, Inc. | Director of Software Technologies<br>
Jabber: <a href="mailto:kfleming@digium.com" target="_blank">kfleming@digium.com</a> | SIP: <a href="mailto:kpfleming@digium.com" target="_blank">kpfleming@digium.com</a> | Skype: kpfleming<br>
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA<br>
Check us out at <a href="http://www.digium.com" target="_blank">www.digium.com</a> & <a href="http://www.asterisk.org" target="_blank">www.asterisk.org</a></font></span><div class="HOEnZb"><div class="h5"><br>
<br>
--<br>
______________________________<u></u>______________________________<u></u>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/<u></u>mailman/listinfo/asterisk-<u></u>users</a><br>
</div></div></blockquote></div><br>