[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Steve Edwards asterisk.org at sedwards.com
Sun Mar 29 13:12:42 CDT 2009


> On Mar 28, 2009, at 7:01 PM, Joseph Benden wrote:
>>
>> For the first function, a possible method signature could be:
>>
>> void ast_log_invalid(const char *module, const char *reason, const char 
>> *ipaddr, const char *for)
>>
>> For the second function, a possible method signature could be:
>>
>> int ast_permitted(const char *name, const char *addr, const char *for)
>> int ast_permitted_sin(const struct sockaddr_in *sin, const char *for)
>>
>> The above function would use the passed information to call the 
>> function hosts_ctl() of TCP Wrappers.
>>
>> [1] tcp_wrappers: ftp://ftp.porcupine.org/pub/security/index.html
>> [2] tcp_wrappers license: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license
>> [3] Asterisk SIP permit-deny-mask: http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask
>> [4] DenyHosts: http://denyhosts.sourceforge.net/

On Sun, 29 Mar 2009, John Todd wrote:

>   I'm on the fence when thinking about if this logic and action should 
> be contained within Asterisk or simply be an included script in the 
> third-party apps directory.

I think Asterisk should "publish" the failure, but what happens after that 
would be outside the scope of a "open source PBX, telephony engine, and 
telephony applications toolkit."

The tcp wrappers, hosts.deny kind of approach seems too "single server" to 
me. Repeatedly parsing log files seems hackish (non-elegant) and not 
real-time enough.

If Asterisk logged failures, the existing logging facility can send to 
syslog.

Syslogd (rsyslogd, syslogd-tng, etc.) can forward from each server to a 
central server.

The central server can funnel all of the failures to a pipe.

A daemon can read the pipe and make decisions appropriate for the site.

The daemon could interrogate denyhosts.net to share and be informed about 
widespread attacks.

Some sort of "DUNDIish" facility would allow all of the servers to 
distribute the "acceptability" of the connection.

Making it all easy enough for mass adoption could be the biggest 
challenge.

Thanks in advance,
------------------------------------------------------------------------
Steve Edwards      sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                             Fax: +1-760-731-3000



More information about the asterisk-dev mailing list