On Fri, Mar 9, 2012 at 4:10 PM, Kevin P. Fleming <kpflem...@digium.com>wrote:
> On 03/09/2012 02:56 PM, Josh Freeman wrote: > >> The most current patched Asterisk, along with the most current app_rpt, >> can be found at >> >> http://svn.ohnosec.org/svn/**projects/allstar/astsrc-1.4.**23-pre/trunk/<http://svn.ohnosec.org/svn/projects/allstar/astsrc-1.4.23-pre/trunk/> >> > > I'm really trying to avoid fanning the flames here, but if that code is > *really* based on 1.4.23, and hasn't been kept up to date with the Asterisk > 1.4 releases, then that means it contains a number of security > vulnerabilities that users should be aware of. Some of them are user > enumeration vulnerabilities, but others (like AST-2011-010, AST-2011-005, > AST-2011-001, and maybe more) are more serious. > > -- > Kevin P. Fleming > Digium, Inc. | Director of Software Technologies > Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming > 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA > Check us out at www.digium.com & www.asterisk.org > > > Kevin, You are not fanning any flames, that is a good point and anyone that deploys this technology should have to read a disclaimer as to vulnerabilities. I am well aware that there have been some serious security issues in those earlier versions. As for an Asterisk Box, or probably better described by what It is used for, a Repeater or Base Station Controller Boxen, I have them locked down in IPTables and in Asterisk. There are usually not more then a dozen or so RoIP conncted repeaters. In my case, I only open one port for OpenVPN and I define the other repeaters by host=IP. As far as "Soft Radios and Autopatch" that function is taken care of by a "real" Asterisk server that is more of a PBX and faces the world, not the "Repeater Controller", again, one entry defined by IP over OpenVPN. Bridged or routed, they non-routeable IPs. The RoIP VPN is only accessible through that tunnel, which is dedicated for that purpose. I am very mindful of security, especially dealing with DoD, but pretty much apply the same kind of security on any implementation. Obviously, these security issues should be patched, but I feel that in my implementations, things are very secure. Thanks, Steve T
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users