[asterisk-users] Binding to 0.0.0.0 a security risk?

Gordon Messmer yinyang at eburg.com
Mon Feb 6 22:29:58 CST 2012


On 02/06/2012 03:27 PM, Josh wrote:
>> Why do you see binding to 0.0.0.0 to be a security risk?
> Purely because a response from Asterisk can be received as a result of a
> connection on *any* interface on the system/machine. If I have Asterisk
> confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1)
> then a request over a third/subsequent interface cannot be served - it
> is not normally possible.
>
> When Asterisk binds to 0.0.0.0 that is not the case and request over a
> third/subsequent interface *can* be served by Asterisk (provided the
> routing is setup properly, that is).

All of that is true, but none of it appears to be a security concern, 
specifically.

>> If you have 3 or more interfaces (or you need to just bind to some
>> subset), you should have the skills to configure 'iptables.'
> I do, but that is not the point - do you rely on microsoft for the
> security of your own desktop system (if you have one running windows
> that is) or do you take it into your own hands and make sure it is
> properly implemented? I don't know about you, but I am firmly in the
> latter category.

As am I, but that has nothing to do with socket binding.  The simile 
doesn't even make sense.

>> Unfortunately, (IIRC) Asterisk does not reply to the same interface
>> packets are received from which limits the usefulness of multiple
>> interfaces.
> What do you mean by that? If a request is received over eht1 are you
> saying that Asterisk does not respond over the same interface?!

It's possible for an application to bind a socket to a specific 
interface, but very few do.  Generally speaking, server applications 
bind a socket to an address.  The kernel decides what interface that 
packets are sent on.  Normally that will be the interface that has the 
lowest cost default route, not necessarily the one on which a connection 
was initiated.  That is why I noted previously that you have to use 
connection tracking, packet mangling, and ip rules for multi-homed 
hosts.  If you've never verified that your packets are being routed out 
the interface you expect (probably with tcpdump), perhaps you should.



More information about the asterisk-users mailing list