[asterisk-users] Saving "admins" from themselves

Dovid Bender dovid at telecurve.com
Mon Sep 4 11:35:03 CDT 2023


Hi,

We recently had a customer that set up Asterisk with port 5038 open to the
world with standard configs for the AMI (by that I mean they copied and
pasted configs that they saw online). Digging around a bit it seems the
attacker used the AMI action "pjsip show auths" followed by "pjsip show
auth <peer name>" which got them the credentials to their account. I know
we can't protect n00bs in every scenario (username 100 password 100) but I
wonder if by default certain items such as passwords should not be
available in plain text. If the consensus is that hiding such info is good
I would want to contribute to a patch to hide plain text passwords by
default across Asterisk.

Your thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20230904/c8f74c53/attachment.html>


More information about the asterisk-users mailing list