Hi Dovid,
There is no default manager.conf in the 'make basic-pbx' config build.
But there is however the sample manager.conf.sample which would get
installed with 'make samples' config which has a giant security warning
at the top of the file. By default manager has enabled=no, and has a
commented/disabled example config for the 'mark' user. There is no
default 'open to the world' configuration for mainline asterisk. I
would agree however that the default bindaddr should not be 0.0.0.0 in
manager.conf.sample. I'll put in for a fix for that.
With that being said, The Asterisk project has no control over what
other distributions might do in terms of packaging and the default
configurations they install. For example, Debian, Redhat, FreePBX, etc
etc... might by default open up asterisk to the world with something
wildly insecure like a 0.0.0.0 bind and a login of admin/admin. So if
that was the case, then those package managers should be made aware of
that issue on a case-by-case basis. Offhand I don't know which
distributions install a default open manager.conf.
On 9/4/23 12:35, Dovid Bender wrote:
Hi,
We recently had a customer that set up Asterisk with port 5038 open to
the world with standard configs for the AMI (by that I mean they
copied and pasted configs that they saw online). Digging around a bit
it seems the attacker used the AMI action "pjsip show auths" followed
by "pjsip show auth <peer name>" which got them the credentials to
their account. I know we can't protect n00bs in every scenario
(username 100 password 100) but I wonder if by default certain items
such as passwords should not be available in plain text. If the
consensus is that hiding such info is good I would want to contribute
to a patch to hide plain text passwords by default across Asterisk.
Your thoughts?
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users