On Fri, 14 Jan 2005, Rich Adamson wrote:
Are there security concerns with the * application software? I know there are with the Linux installation.
:-)
You should always be concerned with security. Not to say that Asterisk has any security problems (it is audited regularly).
If you are administering network boxes you should really read up on network security.
That said, most of your security concerns are going to come from applications which are running by default on your distro.
You should really go through every application running on your box and decide a) whether you need it and b) what settings you really need.
This has sort of been discussed before on the list, but I'd suggest there is a much larger security issue running asterisk resulting from the implementor not understanding "contexts". I'm not talking about problems with the code, but rather experience level.
Those with a fair amount of * experience know/understand the use of default contexts, however the list has seen many many posts where the implementor is having trouble making things work as expected and a fair number of those have something to do with the proper use of contexts.
As with any I/T system, layered security is important including the underlying OS, apps (including *), the network itself, etc. However, there are many systems residing directly on the Internet and none of us have any issues when the systems are properly secured.
That is my major concern too, the * config files (as we all know) are not the easiest to read and when the setup becomes more complicated it's difficult to know for sure if you haven't left any loopholes open (for example a caller on hold that can dial outside etc.)
Would be nice if there was a script that you could feed an access point to the asterisk server in question (be it SIP or IAX login) and that would just start to try and do anything and report the result). At the same time I realise that this would be a great tool for script kiddies too but I guess they will not be hindered by the lacking of such a script anyways.
_______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
