Re: [Astlinux-users] Securing Astlinux 0.6.1

Darrick Hartman Sat, 22 Nov 2008 08:13:54 -0800

Mart

You can configure many of the settings for Openvpn through later versions of 
the gui. I believe you still need to do the openssl key generation on the 
command line.


If you have two static endpoints the racoon ipsec implementation may be better, 
especially for traffic shaping. 

One more note. Some Snom phones support openvpn. 

Darrick

On Sat, 22 Nov 2008 04:59:19 -0600, Martin Rogers wrote:
> Niksa
> 
> could you please advise which model of router you have got working with
> OpenVPN. Also can you confirm that you are running the VPN on the PBX
> rather itself than in front of it (e.g. rather than on its own router in
> box-to-box vpn mode).
> 
> Out of interest, if you are running it on the PBX did you use the
> astlinux web tool to configure this ?
> 
> Thanks
> Mart
> 
> Niksa Baldun wrote:
> > Martin,
> > > you are unlikely to find OpenVP> > > Niksa Baldun
> > > > > Martin Rogers wrote:
> >> Darrick,
> >>
> >> interesting point about the VPN. I have to have three classes of port
> >> opened up for my AstLinux to work on the internet. A VPN solution would
> >> certainly simplify things in this respect.
> >>
> >> However, in reality, how ubiquitous is VPN support on VOIP phones. I use
> >> three types of phone (two PolyCom models and a Snom model) and none of
> >> them seem to offer any VPN client support.
> >>
> >> The other point is that steam encryption is going to slow down
> >> transmission of the media stream (to some extent anyway).  I have
> >> experienced some bad degradation running a couple of phones with
> >> Asterisk through a PIX hardware VPN over a residential ADSL line.
> >> Stuttery MOH is not nice.
> >>
> >> How practical is the VPN suggestion, does anyone actually use this.
> >> What steps are others taking to secure AstLinux/Asterisk on public
> >> networks. It would be useful if we could get a list of ideas together.
> >>
> >> My very short and inadequate list so far is as follows:
> >>
> >> -Limit the number of ports available
> >> -Use UnionFS and change the root password
> >> -Use hashed secrets
> >> -Disable allowguest if using SIP
> >>
> >>
> >> Thoughts anyon> >> Thanks,
> >> Mart
> >>
> >>
> >>
> >> Darrick Hartman wrote:
> >>   >>> David,
> >>>
> >>> You could use openvpn to secure the connection.  MAC address >>> 
> >>> restrictions are pretty weak and easy to spoof.
> >>>
> >>> Darrick
> >>>
> >>> David Kerr wrote:
> >>>     >>>> I would like to permit a softphone on my laptop to connect to my 
> >>> >>>> astlinux box from anywhere in the world. This would mean keeping 
> >>> port >>>> 5060 open, which is a potential security risk?  Is there a way 
> >>> to >>>> restrict access by mac address? so that my softphone on *my* 
> >>> laptop ca >>>> connect, but no one else's can (even if they know the 
> >>> extension/passwod.
> >>>>
> >>>> Thanks.
> >>>> David
> >>>>
> >>>> On Mon, Nov 10, 2008 at 2:40 PM, Daniel Aeberli <[EMAIL PROTECTED]> >>>> 
> >>>> wrote:
> >>>>
> >>>>     Hi Darrick,
> >>>>
> >>>>     You right, I had miss-configured my Firewall: I open the voip port 
> >>>> when
> >>>>     I initially was try to my Asterisk trunk working. As I now know, te
> >>>>     trunk goes through a tunnel so I closed them just after my last pot 
> >>>> and
> >>>>     everything still works (no duh).
> >>>>
> >>>>     I still need to dig into my config (Firewall and Asterisk), I'm sue I
> >>>>     have other doors wide open why I tried to get things working.
> >>>>
> >>>> >>>>
> >>>>     Daniel
> >>>>
> >>>>
> >>>>
> >>>>     Darrick Hartman a écrit :
> >>>>      > Daniel,
> >>>>      >
> >>>>      > Not necessarily.  It sounds like you have the firewall 
> >>>> misconfiured.
> >>>>      > What ports are you opening?  You should really only have your sh
> >>>>     port
> >>>>      > and vpn port open.  All others should be closed.  How are these
> >>>>     people
> >>>>      > getting in?
> >>>>      >
> >>>>      > Darrick
> >>>>      >
> >>>>      > Daniel Aeberli wrote:
> >>>>      >
> >>>>      >> Sorry, just realised this is more an Astersik general question
> >>>>     than a
> >>>>      >> ASTLinux one ... of to search other forums...
> >>>>      >>
> >>>>      >> Daniel Aeberli a écrit :
> >>>>      >>
> >>>>      >>> Well after the brute force attack ssh login attempts, last
> >>>>     month, I have
> >>>>      >>> an undesirable outsider that successfully made calls from my
> >>>>     ASTlinux
> >>>>      >>> box. I locked out the brute force, by disabling WAN requests,
> >>>>     turning of
> >>>>      >>> WAN ping response and turning off ssh access,  but obviously y
> >>>>     box is
> >>>>      >>> not secure.
> >>>>      >>>
> >>>>      >>> I'm not savvy enough to know how to secure by AstLinux box fr> 
> >>>> >>>>     outside
> >>>>      >>> callers (hackers). I only use AstLinux to call my parents
> >>>>     AstLinux box
> >>>>      >>> via a VPN trunk over our ADSL lines. All my local calls go via
> >>>>     ISDN line
> >>>>      >>> (since I have to have it for the ADSL link and local call are
> >>>>     free).
> >>>>      >>>
> >>>>      >>> Could someone tell me how to lock outside calls (internet /
> >>>>     ADSL) from
> >>>>      >>> using my ISDN lines?
> >>>>      >>>
> >>>>      >>> Thanks
> >>>>      >>>
> >>>>      >>> Daniel
> >>>>      >>>
> >>>>      >>>
> >>>>     
> >>>> ------------------------------------------------------------------------
> >>>>      >>> This SF.Net email is sponsored by the Moblin Your Move
> >>>>     Developer's challenge
> >>>>      >>> Build the coolest Linux based applications with Moblin SDK &
> >>>>     win great prizes
> >>>>      >>> Grand prize is a trip for two to an Open Source event anywhere
> >>>>     in the world
> >>>>      >>> http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>>>     <http://moblin-contest.org/redirect.php?banner_id0&url=/>
> >>>>      >>> _______________________________________________
> >>>>      >>> Astlinux-users mailing list
> >>>>      >>> [EMAIL PROTECTED]> >>>>     
> >>>> <mailto:Astlinux-users@lists.sourceforge.net>
> >>>>      >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>      >>>
> >>>>      >>> Donations to support AstLinux are graciously accepted via
> >>>>     PayPal to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>.
> >>>>      >>>
> >>>>      >>>
> >>>>      >>
> >>>>     
> >>>> ------------------------------------------------------------------------
> >>>>      >> This SF.Net email is sponsored by the Moblin Your Move
> >>>>     Developer's challenge
> >>>>      >> Build the coolest Linux based applications with Moblin SDK & wn
> >>>>     great prizes
> >>>>      >> Grand prize is a trip for two to an Open Source event anywhere
> >>>>     in the world
> >>>>      >> http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>>>     <http://moblin-contest.org/redirect.php?banner_id0&url=/>
> >>>>      >> _______________________________________________
> >>>>      >> Astlinux-users mailing list
> >>>>      >> Astlinux-users@lists.sourceforge.net
> >>>>     <mailto:Astlinux-users@lists.sourceforge.net>
> >>>>      >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>      >>
> >>>>      >> Donations to support AstLinux are graciously accepted via PayPl
> >>>>     to paypa> >>>>      >>
> >>>>      >
> >>>>      >
> >>>>      >
> >>>>     
> >>>> ------------------------------------------------------------------------
> >>>>      > This SF.Net email is sponsored by the Moblin Your Move
> >>>>     Developer's challenge
> >>>>      > Build the coolest Linux based applications with Moblin SDK & win
> >>>>     great prizes
> >>>>      > Grand prize is a trip for two to an Open Source event anywhere n
> >>>>     the world
> >>>>      > http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>>>     <http://moblin-contest.org/redirect.php?banner_id0&url=/>
> >>>>      > _______________________________________________
> >>>>      > Astlinux-users mailing list
> >>>>      > Astlinux-users@lists.sourceforge.net
> >>>>     <mailto:Astlinux-users@lists.sourceforge.net>
> >>>>      > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>      >
> >>>>      > Donations to support AstLinux are graciously accepted via PayPal
> >>>>     to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>.
> >>>>      >
> >>>>
> >>>>
> >>>>     
> >>>> ------------------------------------------------------------------------
> >>>>     This SF.Net email is sponsored by the Moblin Your Move Developer's
> >>>>     challenge
> >>>>     Build the coolest Linux> >>>>     great prizes
> >>>>     Grand prize is a trip for two to an Open Source event anywhere in
> >>>>     the world
> >>>>     http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>>>     <http://moblin-contest.org/redirect.php?banner_id0&url=/>
> >>>>     _______________________________________________
> >>>>     Astlinux-users mailing list
> >>>>     Astlinux-users@lists.sourceforge.net
> >>>>     <mailto:Astlinux-users@lists.sourceforge.net>
> >>>>     https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>
> >>>>     Donations to support AstLinux are graciously accepted via PayPal to
> >>>>     [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>.
> >>>>
> >>>>
> >>>>
> >>>> -----------------------------------------------------------------------
> >>>>
> >>>> ------------------------------------------------------------------------
> >>>> This SF.Net email is sponsored by the Moblin Your Move Developer's 
> >>>> chalenge
> >>>> Build the coolest Linux based applications with Moblin SDK & win 
> >>>> greatprizes
> >>>> Grand prize is a trip for two to an Open Source event anywhere in the 
> >>>> orld
> >>>> http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>>>
> >>>>
> >>>> -----------------------------------------------------------------------
> >>>>
> >>>> _______________________________________________
> >>>> Astlinux-users mailing list
> >>>> Astlinux-users@lists.sourceforge.net
> >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>>
> >>>> Donations to support AstLinux are graciously accepted via PayPal to 
> >>>> [EMAIL PROTECTED]
> >>>>       >>> 
> >>>> ------------------------------------------------------------------------
> >>> This SF.Net email is sponsored by the Moblin Your Move Developer's 
> >>> chalenge
> >>> Build the coolest Linux based applications with Moblin SDK & win great 
> >>> rizes
> >>> Grand prize is a trip for two to an Open Source event anywhere in the wrld
> >>> http://moblin-contest.org/redirect.php?banner_id0&url=/
> >>> _______________________________________________
> >>> Astlinux-users mailing list
> >>> Astlinux-users@lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>>
> >>> Donations to support AstLinux are graciously accepted via PayPal to 
> >>> [EMAIL PROTECTED]
> >>>
> >>>     >>
> >> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challnge
> >> Build the coolest Linux based applications with Moblin SDK & win great 
> >> pizes
> >> Grand pri> >> http://moblin-contest.org/redirect.php?banner_id0&url=/
> >> _______________________________________________
> >> Astlinux-users mailing list
> >> Astlinux-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> >>
> >> Donations to support AstLinux are graciously accepted via PayPal to [EMAIL 
> >> PROTECTED]
> >>
> >>
> >>   > > > 
> >> ------------------------------------------------------------------------
> > > -------------------------------------------------------------------------
> > This SF.Net email is sponsored by the Moblin Your Move Developer's challege
> > Build the coolest Linux based applications with Moblin SDK & win great przes
> > Grand prize is a trip for two to an Open Source event anywhere in the word
> > http://moblin-contest.org/redirect.php?banner_id0&url=/
> > > > ------------------------------------------------------------------------
> > > _______________________________________________
> > Astlinux-users mailing list
> > Astlinux-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/astlinux-users
> > > Donations to support AstLinux are graciously accepted via PayPal to 
> > > [EMAIL PROTECTED]
> 
> -------------------------------------------------------------------------
> Th> Build the coolest Linux based applications with Moblin SDK & win great 
> prizs
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id0&url=/
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to [EMAIL 
> PROTECTED]

--
Darrick Hartman
DJH Solutions, LLC
http://www.djhsolutions.com
920.901.3113 M
920.547.4535 O


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to [EMAIL 
PROTECTED]

Re: [Astlinux-users] Securing Astlinux 0.6.1

Reply via email to