[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon Mar 30 03:44:52 CDT 2009 

On Mon, Mar 30, 2009 at 12:44:25AM +0200, Michiel van Baak wrote:
> On 14:31, Sun 29 Mar 09, Steve Edwards wrote:
> > On Sun, 29 Mar 2009, Joseph Benden wrote:
> > 
> > > I also don't think that we can accept the blame for system admins who
> > > have not properly learned who to take care of their machines. If they
> > > are broken into because they left Rsh exposed; is it really our fault?
> > > If they leave SIP wide open with no password and default context can
> > > place international calls; is it our fault?
> > 
> > I disagree here.
> > 
> > If some of the recent posts to this list are any indication, Asterisk is 
> > being deployed by people who have no effing clue.
> 
> Did you even look at the default set of configs Digium ships with
> asterisk ?
> The only thing it allows is IAX2 connections to a demo server at digium.
> No way to setup calls using your landline or ITSP.

The "default configuration" is actually sample configuration. The sample
dialplan is actually useless for most uses. In most places people are
advised to do one of the following two:

1. Use an existing PBX such as FreePBX
2. Write a dialplan from scratch.

Asterisk is a good PBX toolkit. Not a good PBX (at least not out of the
box).

> 
> No sip/iax peers/users with passwords or whatever. Only the stuff needed
> to get the demo working.

But most people use SIP and/or IAX. So they will enable it. And then
what? 


BTW: Asterisk seems to default to shipping with a bunch of unneeded (by
most people) protocols listening by default.

I would say that there's no reason for mgcp, dundi, skinny (and even
h323) to be enabled by defualt. 

OTOH, the manager interface is normally useful. In the default Debian
configuration I changed it to default to be enabled but listen only on
localhost. This prevents the most common user error of accidentally
exposing it to the world (The manager interface, as it is today, should
normally not be exposed to the outside world. Doing it implies a
potential security hole in many cases)


One thing, though: Asterisk already has a mechanism to allow and deny
connections on a per-IP address basis. From my limited experince it is
hardly used. So is there really a point in adding a second mechanism
that duplicates this functionality?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list