[asterisk-users] Securing Asterisk

--[ UxBoD ]-- uxbod at splatnix.net
Wed Jul 27 14:13:36 CDT 2011 

Simple answer to all this is to install http://lync.microsoft.com/ ... good luck ;)
-- 
Thanks, Phil

----- Original Message -----
> Kevin P. Fleming wrote:
> > 
> > 'alwaysauthreject' in not imcompliant with any RFCs; the RFCs
> > define
> > response codes that *can* be used to indicate (for example) that
> > the
> > Request URI does not represent a target known to the receiver (404
> > Not
> > Found), but does not mandate that the server respond with that code
> > in
> > that situation.
> 
> 
> Kevin,
> 
> Thanks for the correction and I apologize if I'm propagating a
> misconception.  Am I misunderstanding this Asterisk Security
> Advisory?
> 
> http://lists.digium.com/pipermail/asterisk-announce/2009-April/000177.html
> 
>    In 2006, the Asterisk maintainers made it more difficult
>    to scan for valid SIP usernames by implementing an
>    option called "alwaysauthreject"...
> 
>    ...What we have done is to carefully emulate exactly the
>    same responses throughout possible dialogs, which should
>    prevent attackers from gleaning this information. All
>    invalid users, if this option is turned on, will receive
>    the same response throughout the dialog, as if a
>    username was valid, but the password was incorrect.
> 
>    It is important to note several things. First, this
>    vulnerability is derived directly from the SIP
>    specification, and it is a technical violation of RFC
>    3261 (and subsequent RFCs, as of this date), for us to
>    return these responses...
> 
> I am asking out of genuine curiosity, because I trust your assessment
> more than my interpretation of the advisory.
> 
> Thank you,
> 
> Matthew Roth
> InterMedia Marketing Solutions
> Software Engineer and Systems Developer
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list