mod_verto security concerns

[ardyhash]

Hello world,

I've been experimenting with mod_verto and a browser based webRTC softphone (SaraPhone by Giovanni Maruzzelli of OpenTelecom.IT, submitted a PR last night that should fix it in 5.x, a column name change is what broke it).

Seems like a neat concept, but I'm concerned about security, is anyone running mod_verto on production systems out in the wild, and if so what security precautions are you taking to protect your installation?

I haven't dove deeply but from a high level I imagine fail2ban won't work out of the box and am wondering if anyone else has looked into or solved security before I start going down rabbit holes.

Thanks in advance for your feedback!

 

[ardyhash]

So... I'm thinking to close down the verto port by default and open it for a configurable time window for any IP that has an authenticated session. Any thoughts?

 

[Adrian Fretwell]

It's a long time since I played with this. I remember setting up the wss-binding port in the SIP profile but I don't remember enabling mod_verto - maybe we did?

I had been looking at integrating a Web RTC client with DjangoPBX, I've not done anything about it, but my thoughts were to dynamically put a whitelist rule in the firewall for the web-rtc port when a user successfully authenticates in the web portal.

 

[ardyhash]

Thanks, happy to hear I'm thinking along the same lines as someone whose experience far exceeds mine. In my search for WebRTC clients SaraPhone was the easiest for me to setup and start using, it won't work with fusion 5.x out of the box but there's an open PR with the changes needed to make it work, and if not mistaken the readme had instructions for using it without integrating into fusion.

 

[Adrian Fretwell]

SaraPhone is what I would go with.