[Freeswitch-users] Your Security Best Practices
Michael Collins
msc at freeswitch.org
Thu Jun 17 16:05:14 PDT 2010
On Thu, Jun 17, 2010 at 3:53 PM, Brian West <brian at freeswitch.org> wrote:
> You really should try FreeSWICH and understand the security. In the end
> its YOUR job to secure it... not ours. I can't stop someone from setting up
> FreeSWITCH in an insecure way. Just like you can't stop someone from
> setting up a CGI script that owns your box.
>
> On Jun 17, 2010, at 5:31 PM, Code Ghar wrote:
>
> > I was reading up on some security advice and came across an article from
> Digium (http://blogs.digium.com/2009/03/28/sip-security/). A few points
> that stood out for me were:
> >
> > "Make your SIP usernames different than your extensions". This sounds
> like good advice because now an attacker has to guess the user name and
> password instead of just a password. The biggest benefit to this is that
> even if someone knows the format of your extension numbers, they are not
> able to use it for registration credentials. Of course, the issue of DoS
> using a large number of simultaneous authentication requests still remains.
> How can we deal with this?
>
> How about you set the AUTH username different then the username and then
> have a password too?
>
FYI, there are soft phones out there that FAIL at this:
wxCommunicator
GoldMine CRM Softphone (Front Range Solutions)
These two phones do not support the concept of "auth username" - they ASSUME
that the username is the auth username. Naughty naughty.
-MC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100617/13c6efab/attachment.html
More information about the FreeSWITCH-users
mailing list