http://www.asterisk.org/astdocs/node66.html
Thanks, never knew that!
Yes, I understand that it's not what you want, but that doesn't make
it a security concern. If Asterisk is publicly available on one
interface, making it available on another interface doesn't make you
less secure.
You lost me. What I want/don't want is largely irrelevant. The issue is,
as you rightly pointed out, whether it is considered more secure or less
secure when Asterisk binds to 0.0.0.0 as oppose to using a specific set
of interfaces, selected at startup.
If one has internal networks, accessible via, say eth1 and tun0, and
implements Asterisk to act as the internal/private PBX (without exposing
it to the outside world), then having been forced to use 0.0.0.0 will,
of course, expose Asterisk to any other - undesirable - interfaces,
including those pointing to the outside world.
By having the option to specify which interfaces Asterisk should use to
bind to (via multiple {udp,tcp}bind statements or by any other means)
Asterisk is *not* exposed to any undesirable interfaces and thus, the
risk is not there. I thought I have made that clear by now, obviously I
haven't, it seems.
It's fine if you want to take that step, but please drop the "everyone
knows this is a security risk" thing. You appear to be alone in that
opinion, and unable to explain why you think it's a security risk.
Moreover, you're speaking for others without warrant or welcome.
If you can't see why binding to 0.0.0.0 carries greater risk than
restricting Asterisk which interfaces to use, then you are truly blind
and beyond help, I am afraid.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
