[Asterisk-Users] Security audit scripts

Remco Barende asterisk at barendse.to
Sun Jan 16 03:39:38 MST 2005 

On Fri, 14 Jan 2005, Rich Adamson wrote:

>>> Are there security concerns with the * application software?
>>> I know there are with the Linux installation.
>>
>> :-)
>>
>> You should always be concerned with security.  Not to say that Asterisk
>> has any security problems (it is audited regularly).
>>
>> If you are administering network boxes you should really read up on
>> network security.
>>
>> That said, most of your security concerns are going to come from
>> applications which are running by default on your distro.
>>
>> You should really go through every application running on your box and
>> decide a) whether you need it and b) what settings you really need.
>
> This has sort of been discussed before on the list, but I'd suggest
> there is a much larger security issue running asterisk resulting
> from the implementor not understanding "contexts". I'm not talking
> about problems with the code, but rather experience level.
>
> Those with a fair amount of * experience know/understand the use of
> default contexts, however the list has seen many many posts where
> the implementor is having trouble making things work as expected
> and a fair number of those have something to do with the proper
> use of contexts.
>
> As with any I/T system, layered security is important including the
> underlying OS, apps (including *), the network itself, etc. However,
> there are many systems residing directly on the Internet and none
> of us have any issues when the systems are properly secured.


That is my major concern too, the * config files (as we all know) are not 
the easiest to read and when the setup becomes more complicated it's 
difficult to know for sure if you haven't left any loopholes open (for 
example a caller on hold that can dial outside etc.)

Would be nice if there was a script that you could feed an access point to 
the asterisk server in question (be it SIP or IAX login) and that would 
just start to try and do anything and report the result). At the same time 
I realise that this would be a great tool for script kiddies too but I 
guess they will not be hindered by the lacking of such a script anyways.

More information about the asterisk-users mailing list