Re: [asterisk-biz] PBX got Hacked

That still will not fix the problem, if the person installing asterisk does not add it on. And like it or not, it doesn't matter if it's user error or not, it will make the press and taint the Asterisk/Opensource name. I would have it as a default install, and let people that know how to, deactivate/modify it. kind of like apache does it disallow all then allow specific actions. Security is the one thing I would not skimp on.

--Mike 

On Tue, Mar 10, 2009 at 11:10 AM, Mike <list@virtutel.ca> wrote:

>
> > I guess there should be some configurable options in Asterisk to cover
> > for that. Like 10 consecutive failed login attempts should invoke
> > asterisk to reply a login denied to that IP address and another option
> > that would allow for let's say 5 attempts in 5 minutes and then block
> > the extension for login.


> 1. Should this even be Asterisk's responsibility, when it can already be
> implemented w/ external tools that are much better suited to the task, are
> already well supported and work really well:

Should it? Not in an ideal world; as you suggest, external tools may be
better for this task and it might keep * decluttered of tangential features.
But not having this feature is just asking to be talked about, and in this
case bad publicity (as in "my VoIP company using Asterisk got hacked out of
250,000$" would not be good publicity IMO.

If anything, something in Asterisk-addons would be good enough.

Mike




_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-biz