[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Joseph Benden joe at thrallingpenguin.com
Sat Mar 28 21:01:26 CDT 2009 

Hello all,

There has been recent discussion regarding a needed network security  
infrastructure for Asterisk. After some thought, I have come up with a  
proposal for such an infrastructure. I would like the input of the  
community on this idea and, if acceptable, I would be willing to start  
the implementation.

I propose an idea based around an old concept that many existing  
network daemons use, tcp_wrappers[1]. First things first, after  
private discussion, it has been found that the license[2] of  
tcp_wrappers is compatible with the dual-license nature of Asterisk.

Contrary to its name, TCP wrappers may be used for either TCP or UDP  
connections and are mostly centered around filtering at the host or  
subnet network address level. This concept mirrors the existing ACL  
infrastructure in place within the SIP module[3] of Asterisk  
(permit,deny). The benefit in using TCP Wrappers is centralized  
management of ACLs across network daemons and the use of existing  
tools that can utilize them, such as DenyHosts[4]. DenyHosts has the  
capability of monitoring the syslog, using regular expressions, and  
acting by the modification of /etc/hosts.deny, to stop attacks on a  
system. DenyHosts supports many operating systems and would be of  
benefit in our community, as attacks against SSH and other services  
would instantly block access to Asterisk.

To implement TCP Wrappers, two functional changes to Asterisk would  
need to be implemented. The first is a centralized syslog function  
that logs invalid usage of Asterisk, such as from the SIP and IAX  
channels, the Manager API, the HTTP server, the Skinny channel, etc.  
The second is a function that these internal Asterisk services use to  
determine if an incoming connection is authorized to communicate with  
Asterisk. These two functional changes permit tools to monitor  
Asterisk via syslog and allow the usage of /etc/hosts.allow and /etc/ 
hosts.deny via the TCP Wrappers library.

For the first function, a possible method signature could be:

void ast_log_invalid(const char *module, const char *reason, const  
char *ipaddr, const char *for)

For the second function, a possible method signature could be:

int ast_permitted(const char *name, const char *addr, const char *for)
int ast_permitted_sin(const struct sockaddr_in *sin, const char *for)

The above function would use the passed information to call the  
function hosts_ctl() of TCP Wrappers.

[1] tcp_wrappers: ftp://ftp.porcupine.org/pub/security/index.html
[2] tcp_wrappers license: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license
[3] Asterisk SIP permit-deny-mask: http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask
[4] DenyHosts: http://denyhosts.sourceforge.net/

Comments, suggestions, or ideas are welcomed!

Best Regards,
Joseph Benden

              .--.
             |o_o |
             |:_/ |
            //   \ \
           (|     | )
           /'\_   _/`\
           \___)=(___/
http://www.ThrallingPenguin.com/
--------------------------------
  We design, develop, and extend
  software technologies for the
     most demanding business
    applications, as well as
      offer VoIP Consulting
            services.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20090328/d32f0864/attachment.htm

More information about the asterisk-dev mailing list