[asterisk-users] Security Logging

--[ UxBoD ]-- uxbod at splatnix.net
Thu Feb 11 06:01:24 CST 2010 

----- "Tzafrir Cohen" <tzafrir.cohen at xorcom.com> wrote:

> On Wed, Feb 10, 2010 at 09:53:46PM -0600, Lyle Giese wrote:
> > Warren Selby wrote:
> > > On Tue, Feb 9, 2010 at 5:54 PM, Lyle Giese <lyle at lcrcomputer.net
> > > <mailto:lyle at lcrcomputer.net>> wrote:
> > >
> > >     Here's a start for you, just run from cron once a day:
> > >
> > >     Lyle
> > >
> > >
> > > So basically, nothing built into asterisk that already provides
> > > security logging mechanisms?  Maybe I'm using the wrong term; In
> > > Windows, I think it would be called Security Auditing, successful
> /
> > > unsuccessful login attempts that get recorded in the Windows
> Event
> > > Viewer in the security log.  These login attempts (whether
> successful
> > > or not) are recorded, and you get the IP address of the
> workstation
> > > attempting the login, the username used, and whether or not it
> was
> > > successful.  A log dedicated just to security auditing (or a new
> > > option in /etc/logger.conf that adds this functionality (say,
> messages
> > > => notice,warning,error,verbose,security) seems like it would be
> a
> > > nice addition to asterisk.
> > >
> > > I've already got tools that can monitor log files and create bans
> > > based on failed login attempts...but I don't always seem to see
> login
> > > failures in the asterisk messages log. 
> > >
> > > I recall from Astricon 2009, Russel and Kevin (I think) commenting
> on
> > > security features in asterisk and not sure how much to include
> (i.e
> > > automatically banning people based on failed login attempts being
> a
> > > process asterisk controls or just simply logs so that another tool
> can
> > > do the banning, etc).  I just don't remember if there was any
> followup
> > > to those discussions.
> 
> > I think that is the problem.  Nobody can agree on how it should be
> > implemented.  So just log the events and the user/admin find and use
> a
> > log analyzer or build your own tools for those that want/need such.
> 
> What do you want to log, exactly?
> 
> I believe, though, that SELinux, err Security Event Logging,
> (res/res_security_log.c , in trunk/1.8) is basically what you're
> after.
> 

Why not use http://www.ossec.net which has Asterisk rules built it.

-- 
Thanks, Phil

More information about the asterisk-users mailing list