[asterisk-biz] PBX got Hacked

Ruddy Gbaguidi plugworld at micnes.com
Tue Mar 10 18:34:51 CDT 2009 

The best thing to do is to use a known security model.
I'm thinking about Linux vs SeLinux which is a security layer over linux.
So, why don't we have the classic asterisk product and a
asterisk-security-enhanced 
module that will,
if enabled, analyze and block all security holes.

So, people running on an already secured environnement should just disable
it like any other unneeded module.
 


-----Original Message-----
From: asterisk-biz-bounces at lists.digium.com
[mailto:asterisk-biz-bounces at lists.digium.com] On Behalf Of Trixter aka Bret
McDanel
Sent: March-10-09 6:41 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] PBX got Hacked

On Tue, 2009-03-10 at 18:15 -0400, Gregory Boehnlein wrote:
> > > The only comment that I have related to this is that it would be 
> > > nice to allow Switchvox customers the ability to access and use 
> > > IPtables in some fashion, so that IP based blocking could be done 
> > > on that platform. Even
> if
> > > it is something as simple as an "allow connections from x.x.x.x to 
> > > SIP
> and
> > > IAX" list w/ a default "deny all" strategy.
> > 
> >   We're smart folk -- why don't we do some sort of
> how-to-secure-your-asterisk-box video and stick on youtube and be done
> >   with this topic?  :-)
> 
> Sounds like a plan. Let me know when you have the video ready so I can 
> send out the link to people.

because the data gets out of date fast enough, and people may be watching an
older version, plus its higher bandwidth to convey some information, I think
it should be a wiki style text thing that will allow more people to
contribute, and let people customize the information to their setup, as
opposed to a video which allows only the creator of the video to do it, you
may find incompatible methods which are harder to combine I generally think
the video idea is not quite as good.

Security is not a one size fits all thing, its got to be a thing that is
integrated into the particular set up that exists, and its something that
has to be maintained, its not a set it and forget it thing.  Look at
history, a "secure" system 6 months ago is hardly considered secure today in
general, and new technologies and threats are coming out all the time to
change the balance which has to be kept on top of.  

My vote would be more for a wiki style on VoIP security in general, with
places for application specific security things.  So it could be more than
just asterisk, and could potentially also include information on how to code
AGIs and other things (even things unrelated to asterisk) in a secure way.  

It should also discuss why someone would want that particular component in
their overall security system, what the benefits are, what the downsides
are, etc.  These could be quick blurbs which wiki formatting generally makes
easy enough to do.  An *example* without much thought going into it,
template could be something like:

==Description==
...
==Intended Topology==
for example SOHO network or enterprise or ...
==Required Software/Hardware==
for example crypto cards for SRTP/TLS
==Benefits==
...
==Downsides==
...
==How to==
...

and it should include instructions for different operating systems, even
within the asterisk community there are various different operating systems
that asterisk runs on, when you go to the wider open source voip stuff you
see an even larger list of operating systems, as well as switching software,
different methods and libraries for "add on"
programs (AGI, event socket, etc), blah blah blah.

For a free solution voip-info.org can have something like this set up, I
dont know for sure, but I am fairly certain they wouldnt mind.  If there is
a framework done initially, most people will use that framework in creating
new pages, people love to copy templates when writing all new pages, so some
real thought should be put into this before it goes up so that you dont have
to refit everything.  And if the server uses something like mediawiki you
can create a template making it easier to plug in the various things and
keep formatting about the same, this also can make it easier to quickly
determine if this is a suitable strategy for what you want/need, searchable,
and even allow for categories so people can quickly browse for the
information they want.


-- 
Trixter http://www.0xdecafbad.com     Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721

More information about the asterisk-biz mailing list