[asterisk-users] How do you harden an Asterisk install?

Thu Jul 13 19:13:38 MST 2006

Thanks for the suggestions but I specifically asked for options OTHER than a
second server.  Your suggestions about disabling un-needed services are good
though.  I already do that.  I am hoping someone has some suggestions that
are not as obvious that I have perhaps not thought of.   

> -----Original Message-----
> From: Warren (mailing lists) [mailto:warren-lists at icruise.com] 
> Sent: Thursday, July 13, 2006 12:36 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] How do you harden an Asterisk install?
> 
> shadowym wrote:
> >  
> > I remember reading a small write up somewhere.  I think it 
> was on the 
> > Asterisk Wiki.  I can't find it anymore.  It's probably a 
> bit dated by 
> > now but some of it would still be relevant.
> > 
> > Can anyone recommend a good guide or even some of their own 
> suggestions.  
> > 
> > For clarity, what I mean by hardening is to make an 
> Asterisk Server or 
> > network appliance or embedded server or whatever you want 
> to call it, 
> > as fail safe, stable, and reliable as possible.  Just like an 
> > expensive traditional PBX.  This is for a small business 
> application 
> > of 50 extensions or less.  It can't be too crazy like redundant 
> > servers or anything like that.  I am looking for ideas like RAID 1, 
> > redundant power supply, cron job to reboot every night (yuck!), 
> > disable caching(?), Astlinux on embedded with CF, yada yada!
> > 
> > Anyway to set up automatic failover to a second Network 
> Card with same 
> > IP if primary network card fails?  That is one point of failure I 
> > haven't found a way around yet.  Failure of the managed switch is 
> > another one I get a bit paranoid about.  Switches generally 
> don't fail 
> > but I'd like to have some sort of fail safe plan.
> > _______________________________________________
> > --Bandwidth and Colocation provided by Easynews.com --
> > 
> > asterisk-users mailing list
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 
> You are talking about 2 things:
> (1) How to harden a linux box
> (2) How to do failover.
> 
> for (1), be sure telnet, ftp and any other service you do not 
> need is off.  Move standard services to non-standard ports, 
> especially web and ssh.  Do not run a name server on the box.
> 
> For (2): You need to have a secondary box that runs a mirror 
> copy of Asterisk and mysql and pretty much has everything 
> else configured the same.  mysql should be replicated to the 
> second box.  You then run a program on the second box that 
> pings the first box.  If the first box fails the second takes 
> over the first box's IP and runs with it.  There are 
> heartbeat programs that can help out with this.
> 
> W
> 
> 