[asterisk-users] aSTERISK / Vicidial systems over 4MB fiber

Steve Totaro stotaro at totarotechnologies.com
Thu Jun 12 06:12:33 CDT 2008 

Then I would think IPtables should work just fine for you.  You have
local access to the * box?  Even a simple NAT should probably work OK
with a little config tweaking.

Have a look here http://swik.net/iptables+sip

Thanks,
Steve

On Thu, Jun 12, 2008 at 7:03 AM, Mark Adams
<admin at infinity-marketing.com> wrote:
> Thanks for the response.
>
> I have a tellabs 8813 switch provided from time warner. No I currently do
> not have access to the switch. I am in the process of converting from analog
> based dialers using dialogic hardware TO asterisk/ vicidial systems
>
> I am strictly placing sip calls to my termination provider. I do not use the
> linux box for anything else. This fiber connection is dedicated to sip g729
> calls entirely.
>
> Yes the fiber terminates directly to the switch.
>
> There are 6 analog to voip gateways (audiocodes and mediatrix) and 1
> asterisk server. The gateways and 1 asterisk server are connected to the
> tellabs switch, security was never an issue because for the last 2 years we
> only connected analog to voip gateways to the open fiber connection.
>
> Now we want to get out of the dialogic junk and replace those systems with
> asterisk servers. Security has become troublesome while testing the first
> 50-80 channel server we have.
>
> Our asterisk server has fedora 8, x windows, asterisk 1.4 I believe.
>
>
> Mark
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Totaro
> Sent: Thursday, June 12, 2008 6:40 AM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] aSTERISK / Vicidial systems over 4MB fiber
>
> What services do you need exposed to the internet and on what machines?
>
> Does the fiber just terminate into your "switch" then?  What type of
> switch?  Can you get access to the switch?  If so you can probably
> create access control lists.
>
> You could put your own router in front to act as a firewall or/and NAT
> and add your own ACLs.
>
> As already suggested, turn off all unused services.  Do not use some
> all in one rolled up ISO such as Trixbox.  Change your ssh port.
>
> If at all possible, use OpenVPN (or whatever VPN) to connect all the
> machines together, as well as trusted clients then block all traffic
> in your ACLs (or firewall) except VPN, NTP, DNS, HTTP, and whatever I
> am missing.
>
> BTW I am no security expert.  I had a box compromised exactly as you
> described but the IRC junk was pegging the CPU, not Asterisk.
>
> Thanks,
> Steve
>
> On Thu, Jun 12, 2008 at 4:23 AM, Mark Adams
> <admin at infinity-marketing.com> wrote:
>> I appreciate the responses thus far but I am looking to find out what type
>> of security I should implement for the future. Being new to linux, not to
>> mention asterisk I didn't realize that someone could brute force into the
>> box and upload crap. With that in mind it seems that I would want to get a
>> hardware firewall such as a hotbrick or a sonicwall firewall.
>>
>> My situation seems unique because I am not using a router even at this
>> point. I was given a sheet of ip addresses and was told just to provision
> by
>> devices with the given ip's and they would handle the rest. My devices are
>> hooked directly to their switch in my location.
>>
>> This hasn't been an issue up until now because I only had analog
> (mediatrix
>> and audiocodes 24 port gateways x 4) connected to the switch. Now I am
> going
>> to a software based dialer (i.e. asterisk/ vicidial) and have run into
> these
>> problems.
>>
>> Thanks again,
>>
>> Mark
>>
>>
>>
>> -----Original Message-----
>> From: asterisk-users-bounces at lists.digium.com
>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve
> Edwards
>> Sent: Wednesday, June 11, 2008 11:25 PM
>> To: Asterisk Users Mailing List - Non-Commercial Discussion
>> Subject: Re: [asterisk-users] aSTERISK / Vicidial systems over 4MB fiber
>>
>> On Wed, 11 Jun 2008, Mark Adams wrote:
>>
>>> (I know there are security issues as they have been additional users
>>> created on my server and irc junk was put in the home folder)
>>
>> If the box has been compromised, the only recourse is to erase the drives
>> and start over. You can't trust anything on the box.
>>
>> Off the top of my head, this is how I would approach the problem.
>>
>> 1) Identify how the box was compromised. (A client box was recently (last
>> 30 days) hacked. It was an old AAH installed by the client. The hacker
>> used the default password on the admin account to exploit a buffer
>> overflow in crond to gain root.)
>>
>> 2) Save any essential data -- and only the data, no executables.
>>
>> 3) Take the box off the Internet.
>>
>> 4) Boot DBAN and let it do it's thing.
>>
>> 5) Install a minimal OS from CD/DVD.
>>
>> 6) Clean up after the install -- turn off services, delete users, delete
>> packages, add packages, etc.
>>
>> 7) Bring up to current patch level from your private repository.
>>
>> 8) Expose the box to the Internet.
>>
>> 9) Cross your fingers and actively monitor the box.
>>
>> Thanks in advance,
>> ------------------------------------------------------------------------
>> Steve Edwards      sedwards at sedwards.com      Voice: +1-760-468-3867 PST
>> Newline                                             Fax: +1-760-731-3000
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list