[Asterisk-Users] Can bad person with SIPp attack Asterisk ?

Patrick asterisk at puzzled.xs4all.nl
Thu Oct 28 13:52:35 MST 2004


On Wed, 2004-10-27 at 23:54, Kevin Walsh wrote:
> Robert Rozman [rozman at fri.uni-lj.si] wrote:
> > sorry maybe dumb question. But could person with bad intent attack
> > Asterisk PBX with SIPp tool ? 
> > 
> I don't know what the SIPp tool is, but there are bound to be hidden
> security bugs in the Asterisk code, just waiting for someone to exploit.
> To mitigate this, you must not run Asterisk as root;  Create a specific
> Asterisk user and group ID, and run Asterisk using that.
> 
> Basic security precautions should be taken with all public-facing
> services - not just Asterisk.

Absolutely. Some things that come to mind: configure your firewall to
only accept SIP, IAX2 etc connections from/to IP addresses of the remote
servers you interact with. Iirc in iptables there is also something
called rate limiting to stop a DoS from eating all your resources. You
can also configure allow/deny IP address in *.

I am sure there are more ways to enhance security and would welcome
further input from the community. Perhaps the info from this threat
could then be the start of the Asterisk Security Howto document.

About running * non-root. Any information how to go about this? How
would you exactly configure this? What about zaptel & libpri? Apache
setup for e.g. * & vmail or astcc interaction, CDR registration (file or
DB) etc.

Regards,
Patrick



More information about the asterisk-users mailing list