On Sun, Feb 12, 2012 at 12:59 AM, Bruce B <bruceb...@gmail.com> wrote:
> If your server is open to the internet and in SIP general section you have > nat=no and in peers you have nat=yes or vice versa then it's possible to > enumerate your extension. Because Asterisk responds with different messages > if the extension exists or not based on that difference in the nat setting > then it's possible to tell if an extension 100 exists or not. Over the past > few years, Digium has come to realization to respond to all unauthenticated > calls the same way in order to thwart any attack attempts or guesses on the > extension but it's still not perfect yet as these improvements are done at > a really slow pace. Regardless, they are being made and there truely is a > security risk. > > I always use nat=yes. I don't even know why nat=no exists as there is > nothing that can't be done with nat=yes. Plus nat=yes will take care of > some of the surprise one-way audio scenarios as well so why use nat=no at > all?! I vote to totally get rid of the nat setting all together and hard > code it and set it to yes but again there are others who may not agree. > > - > > I'm stunned.
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
