Trixter wrote: > because the data gets out of date fast enough, and people may be > watching an older version. [snip] Security is not a one size fits all > thing, its got to be a thing that is integrated into the particular set > up that exists, and its something that has to be maintained, its not a > set it and forget it thing. Look at history, a "secure" system 6 months > ago is hardly considered secure today in general, and new technologies > and threats are coming out all the time to change the balance which has > to be kept on top of.
I disagree. Security fundamentals -- shut everything off, then open where necessary, then secure the things that are open and keep them up to date -- haven't changed in years. In fact, every server in the world should follow four simple yet vital steps to secure their server. Using a firewall (iptables, pf) to block everything at the OS/kernel level, other than what needs to be open, is and should be the first step. SSH is a necessity for most, so turn on key-based authentication only, lose the password auth. Fail2ban is a python script, which, while fine, isn't C. sshguard already does repeated failure of authentication blocking using your existing firewall. It works very well for ssh and can be easily adapted to monitor any log file and block IPs with too many failed auth attempts, as well as secure your SSH connection. http://sshguard.sourceforge.net/ These four things: * Firewall (iptables/netfilter, pf, ipfw, tcpd); block everything, open as necessary * Brute Force or Repeated Failure blocking (any IP-based service) * Secure, key-based ONLY remote access (ssh) * 12+ character alphanumeric random passwords for ANYTHING not able to be locked down by IP are not only Standard Operating Procedure for the security-minded system administrator, but would easily prevent most of the fraud mentioned in this thread. Nothing is 100%, but this sure as hell is 99%. Keeping your OS, Asterisk, ssh and sshguard software up to date is the other 0.99%. Those four things have not changed in the security world in YEARS. Of course, if someone is sniffing your SIP packets, you are still hosed. Then you just need to figure out how to put some daily dollar spend limits on your customers. ASIDE, sort of related. Most people who are NAT'ed are in the US. It probably wouldn't be a ton of effort to get an IP to location DB (maxmind?) and restrict auth's to a certain geographic IP block. Sure, this might cause some issues if the DB is wrong or a new IP block isn't in the DB, but if you are getting hacked regularly, it's another level. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ --------------------------------------------------------------------------- _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz