On 07/02/12 05:29, Gordon Messmer wrote: > On 02/06/2012 03:27 PM, Josh wrote: >>> Why do you see binding to 0.0.0.0 to be a security risk? >> Purely because a response from Asterisk can be received as a result of a >> connection on *any* interface on the system/machine. If I have Asterisk >> confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1) >> then a request over a third/subsequent interface cannot be served - it >> is not normally possible. >> >> When Asterisk binds to 0.0.0.0 that is not the case and request over a >> third/subsequent interface *can* be served by Asterisk (provided the >> routing is setup properly, that is). > > All of that is true, but none of it appears to be a security concern, > specifically.
If you are connecting to the public internet, then it is much more important to think about a) do you really expose your Asterisk directly, or hide it behind a SIP router such as Kamailio? b) should you be using TLS (which is connection oriented and secured with certificates) rather than UDP? Everyone who connects with a cert has been screened in some way by a CA. c) if using TLS (or even just TCP), why not have the extra security of a port-forwarding from a firewall to the Asterisk TLS port? Then no other ports or addresses on the Asterisk box are exposed. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
