[asterisk-users] A new hack?
C F
shmaltz at gmail.com
Tue Dec 6 09:26:54 CST 2011
On Tue, Dec 6, 2011 at 5:19 AM, Hans Witvliet <asterisk at a-domani.nl> wrote:
> On Mon, 2011-12-05 at 18:51 -0800, Steve Edwards wrote:
> <snip>
>
>> Your security needs depends on your environment. At this point in time,
>> all of the hosts I manage for my clients exist in very limited
>> environments and have very small attack surfaces. They are racked in
>> secure data centers. They only accept SIP from clients with static IP
>> addresses that we have an existing business relationship with. They only
>> accept SSH connections from me. They only accept HTTP connections from me
>> and my boss. That's about it. I don't see where F2B adds much value for
>> me.
>>
>> *) Lots of admins think they can't limit access to servers because they
>> have 'mobile' users. Your users probably don't need to access your servers
>> from every single place on the Internet. If your users don't come from
>> China, North Korea, Iran, etc, you can block entire regions with a few
>> rules and eliminate 80% of probes and attacks from reaching your servers
>> in the first place. Apologies in advance if you happen to live in some of
>> these regions -- feel free to `s/China, North Korea, Iran/United States,
>> Canada, England/g`
>>
>
> Perhaps an other suggestion.
> If they are "true road warriors", i presume they are capable of setting
> up an vpn to the company.
> In that case, only allow registrations/calls through the secured
> tunnel. Then it's not any concern to asterisk.
>
> And if they can breach your tunnel, you have something else to worry
> about.
>
Well, that means opening up VPN connections from everywhere. Thats why
I suggested turning off the server completely.
More information about the asterisk-users
mailing list