[asterisk-users] How do you harden an Asterisk install?
Rich Adamson
radamson at routers.com
Fri Jul 14 05:05:06 MST 2006
Tzafrir Cohen wrote:
> On Thu, Jul 13, 2006 at 11:53:19PM -0500, Rich Adamson wrote:
>> shadowym wrote:
>>> Thanks for the suggestions but I specifically asked for options OTHER than
>>> a
>>> second server. Your suggestions about disabling un-needed services are
>>> good
>>> though. I already do that. I am hoping someone has some suggestions that
>>> are not as obvious that I have perhaps not thought of.
>> From a linux command line, run "netstat -a" or "netstat -an" and
>
> netstat -lnut
>
> or (less nicer for formatting, requires root, but gives more data)
>
> netstat -lnutp
>
> -l: only listening ports. Why bother with existing connections?
> -n: numbers instead of names
> -u: udp, -t: tcp: because you don't want to see all the unix-domain
> sockets. Alternatively: --ip
> -p: will tell you which process listen on the port
>
>> identify every tcp & udp port that has a state of listen. You'll
>> probably find several that you were not aware of. Research what the
>> ports are used for and disable as needed. If you don't / can't disable
>> the function using the port, then use a firewall or router access list
>> to block internet folks from accessing the machine on those ports. Or,
>> download and run nmap to identify open ports remotely.
>>
>> Download and run nessus (security scanner) against your server.
>
> There are many old versions of Nessus floating around. An old scanner's
> OK is not that good.
>
>> Review your asterisk config files and make sure you understand exactly
>> what default contexts are implemented, and address those as needed.
>
> Don't provide access through protocols that are not required from other
> hosts. Specifically the manager interface.
>
>> Subscribe to any of several security lists that track linux distro
>> vulnerabilities and patch your distro as needed. One such advisory
>> service is available at http://secunia.com/advisories .
>>
>
> Even more important: base yourself on a distribution that fixes the
> security problems for you. You will never have the resources to track,
> test and apply all of those fixes, unless you're a full-time-job
> security consultant.
>
Oh, and I forgot in my post to comment on disabling those modules that
are not actually needed in your specific implementation. Review the
"show modules" output and "noload" those not needed in modules.conf.
More information about the asterisk-users
mailing list