You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system.
I think the place for you to ask for a change is submitting a JIRA and posting a link on the users and dev groups so people can comment and/or vote for this change... add in /etc/ssh/sshd_config by default: AllowTcpForwarding no DenyUsers PlcmSpIp On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <[email protected]> wrote: > Shall I make a screencast to explain? > > ~Noah > > On Nov 16, 2012, at 5:20 PM, Noah Mehl <[email protected]> wrote: > > Gerald. > > That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP > SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass > of PlcmSIp, utilizing ssh port forwarding. > > ~Noah > > On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <[email protected]> > wrote: > > On 11/16/2012 1:57 PM, Noah Mehl wrote: > > Does nobody on the list know what SSH port forwarding is? I am running > the first two commands from a remote machine (connecting to the sipxecs > machine) in separate terminals to forward my local 25 port to the sipxecs > box, and the 25 port on the sipxecs box locally. The third command is run > locally on the remote machine. This exploit gives the remote machine > access to port 25 on the SipXecs box even if all other ports are blocked. > This could be used for any port that is blocked by firewall, ids, etc, if > the remote machine has ssh access to the sipxecs box. > > ~Noah > > Do you understand that if your sipx smtp server is only running on > localhost that you will not be able to connect to it via > telnet/ssh/whatever? > > > -- > Regards > -------------------------------------- > Gerald Drouillard > Technology Architect > Drouillard & Associates, Inc.http://www.Drouillard.biz > <http://www.drouillard.biz/> > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
