I used to use HTTP with no auth, but changed for a bit more security. When I used basic HTTP, here are some of the things I did:<br><div><br></div><div>1. Only leave config files on server when something needs to be changed. After device has synced, the file gets taken off public access. </div>
<div>2. Files are encrypted per device settings (I know Grandstream and Cisco support some instance of this, I expect most do).</div><div>3. Random path and prefix that I already gave to device in pre-provisioning before sent to customer. </div>
<div>4. Make sure you don't have indexes enabled on your webserver. For example, see <a href="http://wiki.apache.org/httpd/DirectoryListings">here</a>. If you can type in <a href="http://myserver.com/blah404_not_valid">myserver.com/blah404_not_valid</a> and see a list of the files and folders, you need to change that. </div>
<div><br></div><div>But, if you want more, you could enable authentication for your devices and have the certificate/username/password already loaded on the device (first provision before you send it out). That will be more specific to your device. </div>
<div><br></div><div>I'm sure other have more suggestions, but the above should help you stay relatively secure. Keeping files off the server, with random paths, and prefixes, should help prevent a brute force scan being successful. </div>
<div><br></div><div>Nick</div><div><br></div><div><br></div><div><br></div><div><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Nov 11, 2012 at 6:35 PM, Abaci <span dir="ltr"><<a href="mailto:abaci64@gmail.com" target="_blank">abaci64@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">This question is not specific to FreeSWITCH, just a general question<br>
that I would like to get feedback from other FreeSWITCH users.<br>
I'm thinking of setting up phone provisioning via http, my question is<br>
how to make this setup secure. say my provisioning server will listen on<br>
<a href="https://myserver.com" target="_blank">https://myserver.com</a> and a phone with the mac address 00-15-65-22-F4-23<br>
will try to pull the config as <a href="https://myserver.com" target="_blank">https://myserver.com</a> /00156518425Dhow do<br>
I prevent hackers from trying to get config files using a brute force<br>
attack. is there any standard way of securing against these types of<br>
attacks?<br>
<br>
_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
</blockquote></div><br></div>