Hi, We recently had a customer that set up Asterisk with port 5038 open to the world with standard configs for the AMI (by that I mean they copied and pasted configs that they saw online). Digging around a bit it seems the attacker used the AMI action "pjsip show auths" followed by "pjsip show auth <peer name>" which got them the credentials to their account. I know we can't protect n00bs in every scenario (username 100 password 100) but I wonder if by default certain items such as passwords should not be available in plain text. If the consensus is that hiding such info is good I would want to contribute to a patch to hide plain text passwords by default across Asterisk.
Your thoughts?
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
