[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Sun Mar 29 06:08:56 CDT 2009

On 22:01, Sat 28 Mar 09, Joseph Benden wrote:
> Hello all,
>
> There has been recent discussion regarding a needed network security  
> infrastructure for Asterisk. After some thought, I have come up with a  
> proposal for such an infrastructure. I would like the input of the  
> community on this idea and, if acceptable, I would be willing to start  
> the implementation.
>
> I propose an idea based around an old concept that many existing network 
> daemons use, tcp_wrappers[1]. First things first, after private 
> discussion, it has been found that the license[2] of tcp_wrappers is 
> compatible with the dual-license nature of Asterisk.
>
> Contrary to its name, TCP wrappers may be used for either TCP or UDP  
> connections and are mostly centered around filtering at the host or  
> subnet network address level. This concept mirrors the existing ACL  
> infrastructure in place within the SIP module[3] of Asterisk  
> (permit,deny). The benefit in using TCP Wrappers is centralized  
> management of ACLs across network daemons and the use of existing tools 
> that can utilize them, such as DenyHosts[4]. DenyHosts has the  
> capability of monitoring the syslog, using regular expressions, and  
> acting by the modification of /etc/hosts.deny, to stop attacks on a  
> system. DenyHosts supports many operating systems and would be of  
> benefit in our community, as attacks against SSH and other services  
> would instantly block access to Asterisk.
>
> To implement TCP Wrappers, two functional changes to Asterisk would need 
> to be implemented. The first is a centralized syslog function that logs 
> invalid usage of Asterisk, such as from the SIP and IAX channels, the 
> Manager API, the HTTP server, the Skinny channel, etc. The second is a 
> function that these internal Asterisk services use to determine if an 
> incoming connection is authorized to communicate with Asterisk. These two 
> functional changes permit tools to monitor Asterisk via syslog and allow 
> the usage of /etc/hosts.allow and /etc/hosts.deny via the TCP Wrappers 
> library.

You can already make asterisk log to syslog. Have a look at logger.conf.

>
> For the first function, a possible method signature could be:
>
> void ast_log_invalid(const char *module, const char *reason, const char 
> *ipaddr, const char *for)
>
> For the second function, a possible method signature could be:
>
> int ast_permitted(const char *name, const char *addr, const char *for)
> int ast_permitted_sin(const struct sockaddr_in *sin, const char *for)
>
> The above function would use the passed information to call the function 
> hosts_ctl() of TCP Wrappers.
>
> [1] tcp_wrappers: ftp://ftp.porcupine.org/pub/security/index.html
> [2] tcp_wrappers license: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license
> [3] Asterisk SIP permit-deny-mask: http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask
> [4] DenyHosts: http://denyhosts.sourceforge.net/
>
> Comments, suggestions, or ideas are welcomed!
>
> Best Regards,
> Joseph Benden

-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"