[asterisk-users] How to secure Configuration files

ABBAS SHAKEEL shakeel.abbas.qau at gmail.com
Wed Jul 7 03:46:20 CDT 2010 

Thanks Hans,
This is a good idea if i place the configuration files in database and
database some where else......

Now finally according to community feedback ...

I will use AGI at max and obfuscate the JAVA code. Place the remaining
configuration in database.

Hans i think this will be a good trade off..



On Wed, Jul 7, 2010 at 2:08 PM, Hans Witvliet <hwit at a-domani.nl> wrote:

> On Wed, 2010-07-07 at 12:12 +0600, ABBAS SHAKEEL wrote:
> > Thanks to Gordon and Paul for kind help.
> >
> >
> > Actually we have a limitation to place the Asterisk server in client
> > premises if the server is in there premises then this means they have
> > full control over it.
> >
> >
> > harddisk encryption seems a good option but no automated boot is big
> > issue :(
> >
> >
> > Is there some thing possible like that ?
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jul 6, 2010 at 5:21 PM, Gordon Henderson <gordon
> > +asterisk at drogon.net> wrote:
> >
> >         On Tue, 6 Jul 2010, ABBAS SHAKEEL wrote:
> >
> >         > Hello Community,
> >         >
> >         > I have a question , I have been working with asterisk and
> >         developed some
> >         > successful applications. I am facing an issue of security
> >         i.e.  We deploy
> >         > servers to client end. Now i dont want the client to see my
> >         configuration
> >         > files (Of course copy and distribute or replicate the logic
> >         with out
> >         > permission).
> >         >
> >         > Now the configuration files are stored in /etc/asterisk/*
> >          (Of course we can
> >         > specify a different location but at end we specify this in a
> >         configuration
> >         > file).
> >         >
> >         > Is there a way that the configuration files get encrypted or
> >         some thing else
> >         > so that some one who have system access can not copy the
> >         configuration files
> >         > data or look into that files.
> >
> >
> >         The simple answer is that you can't prevent anyone copying it
> >         if they have
> >         physical access.
> >
> >         All you can do is make it hard.
> >
> >         If you wanted to encrypt them, you'd need to alter asterisk.
> >
> >         You could use something like trucrypt, or another whole disk
> >         encryption
> >         technology, but that'll require someone typing in a password
> >         at boot time
> >         making unattended reboots impossible.
> >
> >         Another way which I have seen is to do away with the dialplan
> >         entirely and
> >         do it all in a single big compiled AGI C program. (Ok, you
> >         have minimal
> >         dialplan to pump everything into it, but...) and don't
> >         distribute the
> >         source to the C program...
> >
> >         You need to work out just what it's worth to you if someone
> >         does copy it.
> >         Realistically, what's your target audience? Are your clients
> >         the sort of
> >         people likely to copy and and sell it on? For most businesses,
> >         I'd guess
> >         not.
> >
> >         Gordon
>
> Before you embark on this way....
> Any disk encryption is of no use as long as it remains de-crypted while
> the server is running...
> It only protects you against snooping eyes incaes your hardware is
> stolen (most likely: laptops, usb-media)
>
> If you want to be 100% sure against unautorized access to your data, you
> might want to use two factor authentication. But the fact that you have
> to use a smartcard/token AND a passphrase implies that you can not
> restart your machine/asterisk without being physically there.
> [I mean, you might be creating your own denial of service]
>
> If you just want to protect your asterisk-machine against prying eyes, i
> would suggest to put all of your config (sip, iax, dialplan) into a
> database (on a other machine ofcourse) and use an encrypted connection
> (636, ldaps) to access it. It will protect to against data-theft if your
> machine is stolen, But that person might still be able to access the
> asterisk console _before he nicks the system_  and do a "sip show peers"
> and obtain your info in that way....
>
> So you better consider what you want to protect, against who, and at
> what acceptable costs....
>
> Security is a tricky business. It's easy to spend vast amount of time
> and money and not getting any additional security ;-)
>
> hw
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



-- 
Best Regards
Shakeel Abbas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100707/fed318fb/attachment.htm

More information about the asterisk-users mailing list