[Asterisk-Users] asterisk security
Rich Adamson
radamson at routers.com
Wed Jun 15 07:07:57 MST 2005
> I would like to have some advices about security, securing asterisk server
>
> Already :
>
> - configured asterisk to run as �non-root� user
(http://www.voip-info.org/tiki-index.php?page=Asterisk+non-root)
>
> - fw config (http://www.voip-info.org/tiki-index.php?page=Asterisk+firewall+rules)
>
>
>
> Would like to know what are the things I have to be carefull with
>
> - prevent anyone to use my asterisk srv to call anywhere in the world, some alert to
put in place ?
>
> - prevent to listen my conversation, or other one using my asterisk srv
>
> - other advices ???
>
Next thing I'd suggest is to use an external sip phone (or * system)
to try to access your asterisk system without the appropriate userid
and password entries (or use entries that don't match your current
asterisk definitions. Same with iax if you're allowing that.
Seems there are a fair number of people that think they understand
asterisk, its use of contexts, etc, but really don't.
If I were going to try and hack your asterisk system from a remote
location, what would I try to do? Place calls through your system
without you knowing it (amoung other things).
Using port scanners (like nessus, nmap, etc) will only tell you what
tcp/udp ports are open, but will not give you a clue whether your
sip, iax, or other I/O channels are defined in a reasonably secure
way.
More information about the asterisk-users
mailing list