On 05/10/2008, at 10:13 AM, Frank Griffith wrote: > 1. How do they seem to zero in on the one valid user account that is > present on my server?
Could it be that Asterisk returns a different error code for 'account not found' to 'password invalid'. If so, you should raise a bug report with the main Asterisk development. The login process should not leak this information to the outside world. > 2. Is asterisk really that insecure? > > 3. My asterisk server is behind my firewall and I do port forwarding > to allow access from outside users, like me from my office. I guess > I'm going to have to lock down the asterisk ports only from certain > IP addresses but that will limit my use when I'm traveling. Or else, set up a VPN tunnel in your firewall so that you can use that when travelling. Then if you implement RSA keys for your VPN authentication you are not dependent on a shared key for security. Ari Maniatis --------------------------> ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- Asterisk-BSD mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-bsd
