-----Original Message----- From: C. Tomlinson [mailto:[EMAIL PROTECTED] Sent: 26 February 2005 11:39 To: 'Asterisk Users Mailing List - Non-Commercial Discussion' Subject: RE: [Asterisk-Users] FW: Getting PHP Config to work?
Hi Tzafrir, I do accept that there are many security issues with this setup. I am fairly ignorant of the exact problems due to my lack of knowledge. However I agree with the post in the previous thread: "If the asterisk server is reachable from the outside over http or other unsecure protocols, it would be really dangerous. But in a trusty intranet-environment, where firewalls block every attempt to access the asterisk server from the outside, this "solution" should be save enough, even if nothing is really save enough ;-) . Guido Hecken" What exactly do you mean by an sftp based setup? Is this like the builtin editor in WinSCP? Phpconfig allows me to change the config by any pc on my LAN, using windows, mac, pocket pc(have to test this one) etc. This is handy for me for testing. I like the flexibility it gives me. The * box is behind a NAT firewall, the only ports open being those for IAX. If I setup a VPN in the future I will be able to access the phpconfig files securely (?) via that. It may not suite everyone. Maybe the 777 CHMOD could be done better, but this was the way it worked for me. I am fairly new to Linux and *, so my methods will not be the best. Thanks for all the information....if I get to a production box I will probably not use phpconfig! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tzafrir Cohen Sent: 25 February 2005 18:31 To: asterisk-users@lists.digium.com Subject: Re: [Asterisk-Users] FW: Getting PHP Config to work? On Fri, Feb 25, 2005 at 04:43:50PM -0000, C. Tomlinson wrote: > Hi, > > Thanks for the batchfile type, it's a handy one. > > I'm not editing over the internet, just local LAN for testing ATM. Protected > via firewall. > > Would it not be fairly secure using a combination of the following: > .htaccess file > VPN? > https access? > Limit apache to only allow certain IP's? > And the public keys thing. Secure agains what? What are the threats you consider? VPN and/or limit of IP addresses (in iptables or in apache's config) would serve to allow access only from certain addresses. But is this a relaistic limitation? I thout you wanted to be able to edit the configuration from various hosts. If this is only your setup, then an sftp-based setup is probably more convinient. Using a .htaccess file (or even better: an apache config snippet in /etc/apache/conf.d )you can force authentication to get to this directory. But then-again, you empower the apache user (www-data) to configure and control asterisk, and thus if anybody manages to make your web server execute an arbitrary script (e.g: can write to a .php file under the wwwroot) they can make asterisk execute arbitrary code as well. The chmod command makes Asterisk's configuration world-writable. So anybody with temporary write access to your system can again change asterisk's configuration. This breaks a general sanity assumption that only system users can write to the configuration. As a rule of thumb such a chmod should generally be replaced by adding a certain user to a certain group. You also change the permissions to the asterisk reload script to 777. Why does it need to be world-writable? This gives an attacker yet another place to inject executable code. In short: I still fail to see the atvantages of using phpconfig in your settings. -- Tzafrir Cohen | New signature for new address and | VIM is http://tzafrir.org.il | new homepage | a Mutt's [EMAIL PROTECTED] | | best ICQ# 16849755 | Space reserved for other protocols | friend _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users