[asterisk-biz] PBX got Hacked
Peter Beckman
beckman at angryox.com
Wed Mar 11 09:16:14 CDT 2009
Trixter -- why do your emails come in with an X-Unknown character set? drives
me nuts... I have to copy and paste your replies.
trixter wrote:
> it also relies upon linux, and not everyone using asterisk is using
> linux. Anything that further ties asterisk to a particular operating
> system seems counterproductive.
>
> systrace would likely be a better unix alternative than selinux given
> what selinux does (generally speaking it adds a 3rd id to the uid/gid
> pair).
While systrace can be useful, it is yet another piece of software you need
to maintain and can open security bugs. Most of the 1.6x updates of
Systrace are due to CERT security bulletins or privilege escallation bugs.
It's great for making sure users on the box are being good, but since
we're talking about a server, not a multi-user login-able system, systrace
is more of a 3rd line of defense than 1st. Plus it may open you to MORE
risk, due to the occasional security bug in systrace, especially if you
aren't good at keeping up with the latest versions.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
-------------- next part --------------
On Tue, 2009-03-10 at 21:58 -0400, Peter Beckman wrote:
> Using SeLinux still relies on one knowing which boxes to check and
> uncheck, what happens when you check or uncheck a box, and how to
> configure it to be secure. Besides, it's overkill if you are running an
> Asterisk box.
>
it also relies upon linux, and not everyone using asterisk is using
linux. Anything that further ties asterisk to a particular operating
system seems counterproductive.
systrace would likely be a better unix alternative than selinux given
what selinux does (generally speaking it adds a 3rd id to the uid/gid
pair).
This still makes it somewhat harder for the windows port of asterisk,
which I dont know how much of that still works, I know that some of it
got broken by other patches after it was working, I do not know if it
has been updated to allow for asterisk to run in windows.
--
Trixter http://www.0xdecafbad.com Bret McDanel
pgp key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x8AE5C721
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://lists.digium.com/pipermail/asterisk-biz/attachments/20090311/022e46c1/attachment.pgp
-------------- next part --------------
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
More information about the asterisk-biz
mailing list