Bottom line here, I think, is that the security holes aren't just in Asterisk, they're in SIP, and Asterisk has to support SIP. It is SIP that passes the usernames/passwords in plaintext. If SIP supported a more secure authentication scheme, Asterisk would support it.Despite of all the arguments on other things we could do, why not increase the level of security in Asterisk if there is a possibility to do so? Of course, that said, SIPS exists... I do believe Digium is working on SIPS support, no?
Remco Barendse wrote: Now i read a lot of messages with many arguments stating that we should use iptables, fail2ban and some other things as well as that we should use secure usernames and passwords.While this may all be true and valid, obviously there is already an authentication scheme implemented in Asterisk checking username and password. If it is difficult to implement what i suggested with all the options and configurable settings, why not implement it in a more simple form? Despite of all the arguments on other things we could do, why not increase the level of security in Asterisk if there is a possibility to do so? _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz |
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz