[asterisk-biz] PBX got Hacked

Tue Mar 10 17:41:28 CDT 2009

On Tue, 2009-03-10 at 18:15 -0400, Gregory Boehnlein wrote:
> > > The only comment that I have related to this is that it would be nice to
> > > allow Switchvox customers the ability to access and use IPtables in some
> > > fashion, so that IP based blocking could be done on that platform. Even
> if
> > > it is something as simple as an "allow connections from x.x.x.x to SIP
> and
> > > IAX" list w/ a default "deny all" strategy.
> > 
> >   We're smart folk -- why don't we do some sort of
> how-to-secure-your-asterisk-box video and stick on youtube and be done
> >   with this topic?  :-)
> 
> Sounds like a plan. Let me know when you have the video ready so I can send
> out the link to people.

because the data gets out of date fast enough, and people may be
watching an older version, plus its higher bandwidth to convey some
information, I think it should be a wiki style text thing that will
allow more people to contribute, and let people customize the
information to their setup, as opposed to a video which allows only the
creator of the video to do it, you may find incompatible methods which
are harder to combine I generally think the video idea is not quite as
good.

Security is not a one size fits all thing, its got to be a thing that is
integrated into the particular set up that exists, and its something
that has to be maintained, its not a set it and forget it thing.  Look
at history, a "secure" system 6 months ago is hardly considered secure
today in general, and new technologies and threats are coming out all
the time to change the balance which has to be kept on top of.  

My vote would be more for a wiki style on VoIP security in general, with
places for application specific security things.  So it could be more
than just asterisk, and could potentially also include information on
how to code AGIs and other things (even things unrelated to asterisk) in
a secure way.  

It should also discuss why someone would want that particular component
in their overall security system, what the benefits are, what the
downsides are, etc.  These could be quick blurbs which wiki formatting
generally makes easy enough to do.  An *example* without much thought
going into it, template could be something like:

==Description==
...
==Intended Topology==
for example SOHO network or enterprise or ...
==Required Software/Hardware==
for example crypto cards for SRTP/TLS
==Benefits==
...
==Downsides==
...
==How to==
...

and it should include instructions for different operating systems, even
within the asterisk community there are various different operating
systems that asterisk runs on, when you go to the wider open source voip
stuff you see an even larger list of operating systems, as well as
switching software, different methods and libraries for "add on"
programs (AGI, event socket, etc), blah blah blah.

For a free solution voip-info.org can have something like this set up, I
dont know for sure, but I am fairly certain they wouldnt mind.  If there
is a framework done initially, most people will use that framework in
creating new pages, people love to copy templates when writing all new
pages, so some real thought should be put into this before it goes up so
that you dont have to refit everything.  And if the server uses
something like mediawiki you can create a template making it easier to
plug in the various things and keep formatting about the same, this also
can make it easier to quickly determine if this is a suitable strategy
for what you want/need, searchable, and even allow for categories so
people can quickly browse for the information they want.

-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/51a9c9f0/attachment.pgp 