Skip to main content

MTE Provisioning Security

Posted by dannas@triadte… on Wed, 08/12/2009

Question for service providers running MTE: To date, we have not used the auto-provisioning due to security concerns. The HTTP access to autoprovisioning allows anyone who knows the URL to access and view the flat files which holds users SIP credentials. Is there a secure way of using the auto-provisioning features in a MTE setting?


Submitted by eeman on Wed, 08/12/2009 Permalink

I use TFTP and FTP access and remove read permissions off the directory so that one has to know the filename in order to retrieve it. I also use chroot to jail the users in the ftp directory so they cant go exploring all over my filesystem either.

drwxr-x--x 8 root root 20480 Aug 3 09:43 /home/PlcmSpIp/

all the configs are owned by root chmod 644 except for

CONTACTS/

LOGS/

OVERRIDES/

which are 755 and owned by the ftp user/group that is part of the login.

this is primarily for polycom phones so that they can upload their contacts and logs

TFTP users have no authentication but must know the exact filename to retreive, no browsing is possible.

FTP users have to know the username, password, and filename for config files to retrieve due to the read bit being removed off the parent file.

If you are concerned about this security then I am going to assume you're running a newer version of asterisk. 1.4.20 and below allowed SIP browsing and brute force discovery of authentication.

Submitted by hostedip on Thu, 08/13/2009 Permalink

I know it's not perfect, but I just dropped a blank index.html file in the /tftpboot directory - which is where /usr/libexec/webmin/unauthenticated/provisioning is linked. Then when someone tries to browse the directory, they won't get the file listing.