[Asterisk-Users] Internet Dial-in security questions
Martin Pycko
martinp at digium.com
Fri Apr 25 07:40:29 MST 2003
Just block all the TCP ports to this asterisk box on the firewall
(you can block incoming and outgoing unless you want to do cvs update
then leave the cvs). Do the same on the asterisk box'es firewall.
Let all UDP traffic in and out ports 1024-65535 only to asterisk box.
Remove all unnecessary services on asterisk box. Make sure your
manager.conf doesn't give too much access.
Martin
On Fri, 25 Apr 2003, Stefano Finetti wrote:
>
> ----- Original Message -----
> From: "Skuse, Phil" <Phil.Skuse at vicorp.com>
> To: <asterisk-users at lists.digium.com>
> Sent: Friday, April 25, 2003 12:29 PM
> Subject: [Asterisk-Users] Internet Dial-in security questions
>
>
> >
> > sip:<number>@asterisk-server.mycompany.com
> >
> > should connect just fine (except currently it will be blocked by the
> > firewall). Our firewall knows nothing about SIP, so presumably I have to
> > open port 5060 and all UDP high ports (in and out)?
> >
> > What are the security implications of doing this? Do I need to secure the
> > asterisk server in the same way that I would for other publically
> accessible
> > servers? (grsecurity + closing all non-essential ports + removing all suid
> > programs and unnecessary daemons)
> >
> > Presumably I also need to setup proper contexts so that internet callers
> > cannot access the PSTN or voicemail? Anybody have an example of this?
>
> You can override problems about the secuity in this way:
>
> I must open that ports only to the clients you want to let use the system.
>
> In other words, give'em the possibility to REGISTER on your * SIP server.
> Place them in a different context, a "Bunker" context in which they can
> *ONLY* make the calls you want let'em do. No outgoing, no voicemail
> includes.
>
> Assuming you're using ipchains or iptables for firewalling under linux, you
> should verify that the 5060 port and the udp ports are open only from
> specified sources. This has a problem inside: if your clients have dynamical
> ip address, you can't put on the source field of firewall.
> So, to avoid (or better, to bypass the problem) make sure you use a good
> authentication system for the sip clients.
>
> >
> > Are there any particular security risks that I need to defend against?
> >
> > Would it be better to put a secured asterisk server outside the firewall
> and
> > connect it to the internal one with IAX? Does this require less ports open
> > on the firewall?
>
> Basically, you can save some port, but there's the worst part of the medal:
> the "external" asterisk box will be attackable (unless you put a firewall
> on, and then you've again the same problem with the ports), and if someone
> takes control of your * box, he can then call everywhere using your lines
> passing over IAX.
>
>
> These are just my 2 cents, hoping to help you.
>
> --
> Stefano
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
More information about the asterisk-users
mailing list