On 8/6/2012 7:12 AM, Tony Graziano wrote:
I am suggesting if someone is working on vsftp auto configuration that
they also address xx-8904.
Vsftpd is TFTP and FTP. At this time there is no secure provisioning
method. I would expect that to be addressed with polycom firmware 4.0
once that is added, but I could be ahead of things there.
At the same time ftp via nat is username/password protected and the
ftp server does not allow directory listing, etc. so it is relatively
safe to use.
A couple of points here:
* every phone uses the same username password
* would be better to use secure ftp so the username/password is not
transmitted in plain text.
* seems that once you had the ftp username/password, which I think we
use polycom's defaults, brute force could be used cycling through
mac addresses looking for config files contain sip account
credentials. Fail2ban could help here.
The only way someone can grab your config is knowing the ftp address
and Mac address of the phone, as well as ftp username/password (which
can be changed).
--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz
_______________________________________________
sipx-dev mailing list
sipx-dev@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-dev/