shadowym wrote:
Thanks for the suggestions but I specifically asked for options OTHER than a
second server. Your suggestions about disabling un-needed services are good
though. I already do that. I am hoping someone has some suggestions that
are not as obvious that I have perhaps not thought of.
From a linux command line, run "netstat -a" or "netstat -an" and
identify every tcp & udp port that has a state of listen. You'll
probably find several that you were not aware of. Research what the
ports are used for and disable as needed. If you don't / can't disable
the function using the port, then use a firewall or router access list
to block internet folks from accessing the machine on those ports. Or,
download and run nmap to identify open ports remotely.
Download and run nessus (security scanner) against your server.
Review your asterisk config files and make sure you understand exactly
what default contexts are implemented, and address those as needed.
iax2 and sip access to the server match certain parameters defined in
each context, looking for a match that might include username, secret,
IP address, etc. Understand the matching logic and make sure each
defined context is used the way it is supposed to be used. (There are
likely a fairly large number of asterisk boxes with contexts defined
where the implementor thought it was being used, but a different context
is actually being used.)
Implement the "deny" and "permit" statements where it makes sense to do
so, limiting access to a specific IP address or network.
Use lengthy secrets in your sip and iax definitions as its not all that
hard to write code that will repeatedly guess them. (For example, there
are apps that can be downloaded to guess account passwords in Microsoft
domains. One such app that I tested a while back guessed a users
five-character password in less then five seconds. Changing his password
to eight characters required an hour to guess it, and changing the
password to eight characters with special symbols required over 24
hours.) You might also read the sample conf files and look for a
parameter that addresses how many incorrect secrets asterisk can see
before it slows its responses, essentially minimizing the impact of
password guessing apps.
Subscribe to any of several security lists that track linux distro
vulnerabilities and patch your distro as needed. One such advisory
service is available at http://secunia.com/advisories .
Use "asterisk security" with google and you'll see several references to
white papers, wiki pages, etc, for additional items.
Then, back up your config files on something else and wait for your
server to be compromised. ;)
R.
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
