<br><br><div class="gmail_quote">On Thu, Jun 17, 2010 at 3:53 PM, Brian West <span dir="ltr"><<a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
You really should try FreeSWICH and understand the security. In the end its YOUR job to secure it... not ours. I can't stop someone from setting up FreeSWITCH in an insecure way. Just like you can't stop someone from setting up a CGI script that owns your box.<br>
<br>
On Jun 17, 2010, at 5:31 PM, Code Ghar wrote:<br>
<br>
> I was reading up on some security advice and came across an article from Digium (<a href="http://blogs.digium.com/2009/03/28/sip-security/" target="_blank">http://blogs.digium.com/2009/03/28/sip-security/</a>). A few points that stood out for me were:<br>
><br>
> "Make your SIP usernames different than your extensions". This sounds like good advice because now an attacker has to guess the user name and password instead of just a password. The biggest benefit to this is that even if someone knows the format of your extension numbers, they are not able to use it for registration credentials. Of course, the issue of DoS using a large number of simultaneous authentication requests still remains. How can we deal with this?<br>
<br>
How about you set the AUTH username different then the username and then have a password too?<br></blockquote><div><br></div></div>FYI, there are soft phones out there that FAIL at this:<br>wxCommunicator<br>GoldMine CRM Softphone (Front Range Solutions)<br>
<br>These two phones do not support the concept of "auth username" - they ASSUME that the username is the auth username. Naughty naughty. <br>-MC<br>