<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hello all,</div><div><br></div><div>There has been recent discussion regarding a needed network security infrastructure for Asterisk. After some thought, I have come up with a proposal for such an infrastructure. I would like the input of the community on this idea and, if acceptable, I would be willing to start the implementation.</div><div><br></div><div>I propose an idea based around an old concept that many existing network daemons use, tcp_wrappers[1]. First things first, after private discussion, it has been found that the license[2] of tcp_wrappers is compatible with the dual-license nature of Asterisk.</div><div><br></div><div>Contrary to its name, TCP wrappers may be used for either TCP or UDP connections and are mostly centered around filtering at the host or subnet network address level. This concept mirrors the existing ACL infrastructure in place within the SIP module[3] of Asterisk (permit,deny). The benefit in using TCP Wrappers is centralized management of ACLs across network daemons and the use of existing tools that can utilize them, such as DenyHosts[4]. DenyHosts has the capability of monitoring the syslog, using regular expressions, and acting by the modification of /etc/hosts.deny, to stop attacks on a system. DenyHosts supports many operating systems and would be of benefit in our community, as attacks against SSH and other services would instantly block access to Asterisk.</div><div><br></div><div>To implement TCP Wrappers, two functional changes to Asterisk would need to be implemented. The first is a centralized syslog function that logs invalid usage of Asterisk, such as from the SIP and IAX channels, the Manager API, the HTTP server, the Skinny channel, etc. The second is a function that these internal Asterisk services use to determine if an incoming connection is authorized to communicate with Asterisk. These two functional changes permit tools to monitor Asterisk via syslog and allow the usage of /etc/hosts.allow and /etc/hosts.deny via the TCP Wrappers library.</div><div><br></div><div>For the first function, a possible method signature could be:</div><div><br></div><div>void ast_log_invalid(const char *module, const char *reason, const char *ipaddr, const char *for)</div><div><br></div><div>For the second function, a possible method signature could be:</div><div><br></div><div>int ast_permitted(const char *name, const char *addr, const char *for)</div><div>int ast_permitted_sin(const struct sockaddr_in *sin, const char *for)</div><div><br></div><div>The above function would use the passed information to call the function hosts_ctl() of TCP Wrappers.</div><div><br></div><div>[1] tcp_wrappers: <a href="ftp://ftp.porcupine.org/pub/security/index.html">ftp://ftp.porcupine.org/pub/security/index.html</a></div><div>[2] tcp_wrappers license: <a href="ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license">ftp://ftp.porcupine.org/pub/security/tcp_wrappers_license</a></div><div>[3] Asterisk SIP permit-deny-mask: <a href="http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask">http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask</a></div><div>[4] DenyHosts: <a href="http://denyhosts.sourceforge.net/">http://denyhosts.sourceforge.net/</a></div><div><br></div><div>Comments, suggestions, or ideas are welcomed!</div><div><br></div><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 14px/normal Helvetica; "><span class="Apple-style-span" style="font-family: '-webkit-monospace'; font-size: 12px; "><div>Best Regards,</div><div>Joseph Benden</div><div><br></div><div> .--.</div><div> |o_o |</div><div> |:_/ |</div><div> // \ \</div><div> (| | )</div><div> /'\_ _/`\</div><div> \___)=(___/</div><div><a href="http://www.ThrallingPenguin.com/">http://www.ThrallingPenguin.com/</a></div><div>--------------------------------</div><div> We design, develop, and extend</div><div> software technologies for the</div><div> most demanding business</div><div> applications, as well as</div><div> offer VoIP Consulting</div><div> services.</div><div><br></div></span></div></div></div></span></div></span><br class="Apple-interchange-newline"> </div><br></body></html>