I changed the system from port 80 to a obscure port and firewalled port 80, (stand alone firewall in front of pbx) the gui works fine but I can not provision phones unless I open port 80, I tried adding http://YOUR-SERVER-IP/xepm-provision :XXXX but it did not work. system is hosted so phones are remote with dynamic IP's is the EPM locked to port 80/443
If you change the port, you must use: http://YOUR-SERVER-IP: YOUR-NEW-PORT/xepm-provision
I just had a very big supprise, i put that string into a browser followed by a mac address and the config file was displayed, this leaves the system wide open. Is there a secturity setting I have not enabled.
Actually, it only shows the config if you put the right mac address, so, an attacker must know your phone's mac address for vulnerate your system.
On the RC version, we're including a fail2ban filter to avoid brute force attacks to the provisioning URL.
That will help but mac addresses from the same vendor do not vary much maybe last 6 characters
We are looking for an stronger solution. Sorry for the inconvenience.
Adding in some simple AuthConfig with apasswords would also be a tremendous security improvement, along with the fail2ban filter.
Thanks for the suggestion