[asterisk-users] How to secure Configuration files

Faisal Hanif faisal at vopium.com
Wed Jul 7 03:50:49 CDT 2010 

  Hi,

As per my finding you can have two possible solutions to mentioned problem,

1st is to use realtime curl for all configuration. In this case asterisk 
will hit your configured URLs to read all configuration. You can run 
web-server on same or any machine and can use any CGI of Perl, PHP, C, 
JAVA or any other web language to response the URL. You will have full 
power of a programming language and you can do what you want just need 
coding.

2nd option is by enabling execincludes=yes in asterisk.conf you can use 
#exec in any of asterisk conf file to call any external application and 
asterisk will use configuration returned by that external application 
and will treat it same as in static file. Here you again have full power 
of programming language in you hand.

Regards,

Faisal Hanif

On 7/7/2010 1:08 PM, Hans Witvliet wrote:
> On Wed, 2010-07-07 at 12:12 +0600, ABBAS SHAKEEL wrote:
>> Thanks to Gordon and Paul for kind help.
>>
>>
>> Actually we have a limitation to place the Asterisk server in client
>> premises if the server is in there premises then this means they have
>> full control over it.
>>
>>
>> harddisk encryption seems a good option but no automated boot is big
>> issue :(
>>
>>
>> Is there some thing possible like that ?
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Jul 6, 2010 at 5:21 PM, Gordon Henderson<gordon
>> +asterisk at drogon.net>  wrote:
>>
>>          On Tue, 6 Jul 2010, ABBAS SHAKEEL wrote:
>>
>>          >  Hello Community,
>>          >
>>          >  I have a question , I have been working with asterisk and
>>          developed some
>>          >  successful applications. I am facing an issue of security
>>          i.e.  We deploy
>>          >  servers to client end. Now i dont want the client to see my
>>          configuration
>>          >  files (Of course copy and distribute or replicate the logic
>>          with out
>>          >  permission).
>>          >
>>          >  Now the configuration files are stored in /etc/asterisk/*
>>           (Of course we can
>>          >  specify a different location but at end we specify this in a
>>          configuration
>>          >  file).
>>          >
>>          >  Is there a way that the configuration files get encrypted or
>>          some thing else
>>          >  so that some one who have system access can not copy the
>>          configuration files
>>          >  data or look into that files.
>>
>>
>>          The simple answer is that you can't prevent anyone copying it
>>          if they have
>>          physical access.
>>
>>          All you can do is make it hard.
>>
>>          If you wanted to encrypt them, you'd need to alter asterisk.
>>
>>          You could use something like trucrypt, or another whole disk
>>          encryption
>>          technology, but that'll require someone typing in a password
>>          at boot time
>>          making unattended reboots impossible.
>>
>>          Another way which I have seen is to do away with the dialplan
>>          entirely and
>>          do it all in a single big compiled AGI C program. (Ok, you
>>          have minimal
>>          dialplan to pump everything into it, but...) and don't
>>          distribute the
>>          source to the C program...
>>
>>          You need to work out just what it's worth to you if someone
>>          does copy it.
>>          Realistically, what's your target audience? Are your clients
>>          the sort of
>>          people likely to copy and and sell it on? For most businesses,
>>          I'd guess
>>          not.
>>
>>          Gordon
> Before you embark on this way....
> Any disk encryption is of no use as long as it remains de-crypted while
> the server is running...
> It only protects you against snooping eyes incaes your hardware is
> stolen (most likely: laptops, usb-media)
>
> If you want to be 100% sure against unautorized access to your data, you
> might want to use two factor authentication. But the fact that you have
> to use a smartcard/token AND a passphrase implies that you can not
> restart your machine/asterisk without being physically there.
> [I mean, you might be creating your own denial of service]
>
> If you just want to protect your asterisk-machine against prying eyes, i
> would suggest to put all of your config (sip, iax, dialplan) into a
> database (on a other machine ofcourse) and use an encrypted connection
> (636, ldaps) to access it. It will protect to against data-theft if your
> machine is stolen, But that person might still be able to access the
> asterisk console _before he nicks the system_  and do a "sip show peers"
> and obtain your info in that way....
>
> So you better consider what you want to protect, against who, and at
> what acceptable costs....
>
> Security is a tricky business. It's easy to spend vast amount of time
> and money and not getting any additional security ;-)
>
> hw
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100707/d8659ade/attachment.htm

More information about the asterisk-users mailing list