[Asterisk-Users] Plugging Asterisk Security Holes....
andrewg at felinemenace.org
andrewg at felinemenace.org
Wed Mar 24 07:32:13 MST 2004
On Wed, Mar 24, 2004 at 07:09:43AM -0700, Jason Becker wrote:
> andrewg at felinemenace.org wrote:
>
> >>Another topic of interest is securing the box itself. Does a firewall
> >>(hardware outside of the box or a linux based firewall) suffice the need?
> >>
> >>
> >
> >Depends what you are protecting against. If you want to assume some
> >services are
> >exploitable, you could try to break some of the exploits by firewalling
> >off all ports not used, and prevent all outgoing connections from your box
> >except for ports you use on that box. If you use netfilter, you can create
> >rules that
> >apply to user-ids as well, so you could allow asterisk more privileges.
> >
> >
> >
> Nessus (http://www.nessus.org/) is a great vulnerability assessment tool
> one can use to determine if services are exploitable.
>
How, pray tell, does it tell you that services are vulnerable when the
information about the security hole isn't public knowledge? (unless, of
course, you take microsofts stance, where security issues don't exist
until they patch them, which of course is a flawed example, because they
could secure peoples machines by not releasing patches.)
The approach I was talking about was mitigiating and prehaps breaking
used exploit code by enforcing "application behaviour". (For lack of a better
term for the moment.)
Also, relying on a (single) tool to tell you if you are vulnerable to
something will lead you into a false sense of security.
> Cheers
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
Thanks,
Andrew Griffiths
More information about the asterisk-users
mailing list