[asterisk-users] How do you harden an Asterisk install?

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Jul 14 01:12:13 MST 2006 

On Thu, Jul 13, 2006 at 11:53:19PM -0500, Rich Adamson wrote:
> shadowym wrote:
> >Thanks for the suggestions but I specifically asked for options OTHER than 
> >a
> >second server.  Your suggestions about disabling un-needed services are 
> >good
> >though.  I already do that.  I am hoping someone has some suggestions that
> >are not as obvious that I have perhaps not thought of.   
> 
> From a linux command line, run "netstat -a" or "netstat -an" and 

  netstat -lnut

or (less nicer for formatting, requires root, but gives more data)

  netstat -lnutp

-l: only listening ports. Why bother with existing connections?
-n: numbers instead of names
-u: udp, -t: tcp: because you don't want to see all the unix-domain
                  sockets. Alternatively: --ip
-p: will tell you which process listen on the port

> identify every tcp & udp port that has a state of listen. You'll 
> probably find several that you were not aware of. Research what the 
> ports are used for and disable as needed. If you don't / can't disable 
> the function using the port, then use a firewall or router access list 
> to block internet folks from accessing the machine on those ports. Or, 
> download and run nmap to identify open ports remotely.
> 
> Download and run nessus (security scanner) against your server.

There are many old versions of Nessus floating around. An old scanner's
OK is not that good.

> 
> Review your asterisk config files and make sure you understand exactly 
> what default contexts are implemented, and address those as needed.

Don't provide access through protocols that are not required from other
hosts. Specifically the manager interface.

> Subscribe to any of several security lists that track linux distro 
> vulnerabilities and patch your distro as needed. One such advisory 
> service is available at http://secunia.com/advisories .
> 

Even more important: base yourself on a distribution that fixes the
security problems for you. You will never have the resources to track,
test and apply all of those fixes, unless you're a full-time-job
security consultant.

-- 
Tzafrir Cohen         sip:tzafrir at local.xorcom.com
icq#16849755          iax:tzafrir at local.xorcom.com
+972-50-7952406          jabber:tzafrir at jabber.org
tzafrir.cohen at xorcom.com     http://www.xorcom.com

More information about the asterisk-users mailing list