Hi Dovid,
There is no default manager.conf in the 'make basic-pbx' config build.
But there is however the sample manager.conf.sample which would get
installed with 'make samples' config which has a giant security warning
at the top of the file. By default manager has enabled=no, and has a
commented/disabled example config for the 'mark' user. There is no
default 'open to the world' configuration for mainline asterisk. I
would agree however that the default bindaddr should not be 0.0.0.0 in
manager.conf.sample. I'll put in for a fix for that.
With that being said, The Asterisk project has no control over what
other distributions might do in terms of packaging and the default
configurations they install. For example, Debian, Redhat, FreePBX, etc
etc... might by default open up asterisk to the world with something
wildly insecure like a 0.0.0.0 bind and a login of admin/admin. So if
that was the case, then those package managers should be made aware of
that issue on a case-by-case basis. Offhand I don't know which
distributions install a default open manager.conf.
On 9/4/23 12:35, Dovid Bender wrote:> Hi,
>
> We recently had a customer that set up Asterisk with port 5038 open to
> the world with standard configs for the AMI (by that I mean they
> copied and pasted configs that they saw online). Digging around a bit
> it seems the attacker used the AMI action "pjsip show auths"
followed
> by "pjsip show auth <peer name>" which got them the
credentials to
> their account. I know we can't protect n00bs in every scenario
> (username 100 password 100) but I wonder if by default certain items
> such as passwords should not be available in plain text. If the
> consensus is that hiding such info is good I would want to contribute
> to a patch to hide plain text passwords by default across Asterisk.
>
> Your thoughts?
>
>
>