Security Nightmare of the Day

wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
20,217
Reaction score
5,974
A new iPhone app was released today called Pocket Asterisk. Trademark issues aside, here's the recommended setup for system access to your Asterisk server at the office. No mention of a need for a secure password. Yikes!

Support

You need to enable the Asterisk Manager Interface on your server, just edit your /etc/asterisk/manager.conf file to look something like this:


[general]
enabled=yes
port=5038

[foo]
secret=bar
read=system,call,command
write=system,call,command





Save and restart your Asterisk server, done.
Your Asterisk server is behind a firewall? Just forward whatever port you defined in /etc/asterisk/manager.conf, works great.
Click to expand...
 
Hi guys! I'm the developer for Pocket Operator (http://pocketoperator.com), previously Pocket Asterisk.

Certainly security should be considered in all things we do and using the Asterisk Manager Interface is no exception.

Most good Asterisk admins would use a VPN for access to their private network and not expose the Asterisk Manager Interface to the public Internet. The iPhone has great VPN support.

Unfortunately, the Asterisk Manager Interface only supports plain text, but you could use a simple md5 challenge/response if you're exposing to the public Internet and concerned about the security implications.

Obviously (at least to me) the manager.conf sample posted on the Pocket Operator website was an example of where to start, "foo" and "bar" are generally accepted standard example text and shouldn't actually be used as the username and password. Absolutely complex passwords should be used.

Asterisk 1.6 introduces TLS encryption that can be used with the Asterisk Manager Interface. If the app gains some popularity I'll update it to include TLS support for Asterisk 1.6 based installations.

Your feedback is very much appreciated and certainly welcome.

Edit: I'm also working on an iPad version called Operator Anywhere.

Bill Kervaski / HeavyLogic
 
You must log in or register to reply here.

Members online

Total: 69 (members: 2, guests: 67)

Latest Posts

Forum statistics

Threads
26,689
Messages
174,413
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top