Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On 02/08/2012 04:29 AM, Tony Mountifield wrote: In article<4f324279.70...@message-id.plonk.de>, Jakob Hirsch wrote: Raj Mathur (राज माथ�र), 2012-02-08 03:27: Packets not going out on the same interface as the one they were received on is a general IP issue, not just for connectionless Right, this was a inaccuracy. It should say "Asterisk does not reply with the IP address with which packets were received". Asterisk (as most applications) does not care about network interfaces, it just handles IP addresses. protocols. The same behaviour can be seen with TCP too. Unless you mangle with iptables or something, all information about the received A tcp connection is defined by the tuple (source host&port, destination host&port), so if you write to a tcp socket, the kernel knows which source address it has to use (and also which destination address, so the application doesn't need to know that at all). As there's no such relation in udp, the application has to provide the destination address. The kernel then decides which source address to use, as long as the application did not bind() to a specific address. This is why some UDP servers such as for DNS and NTP create a separate socket bound specifically to each local IP address. Then by sending a response via the same socket as the request was received on, it can be reasonably sure that the response will go out on the right interface. Maybe Asterisk does or could do the same. I haven't checked. Well, 'Asterisk' is very broad, because really you are talking about each Asterisk module that can bind to sockets... and there are many of them. In the case of chan_iax2, multiple bindings are possible, and manual configuration could be done to individually bind to each address you want to provide services on (even if some of those addresses are configured on the same interface). Responses will be sent over the same socket the request was received on. In the case of chan_sip, only one UDP binding is possible (and one TCP/TLS binding). The code *could* be improved to handle multiple bindings, but it would be a large and invasive effort to do so. I've had thoughts in the past about this, and it would even possible to make this automatic (for systems where virtual hosting is being done), and have sockets automatically bound to new IP addresses that are discovered at run time... but that would still require that chan_sip be improved to properly handle fully multi-threaded operation for all of its data structures and operations. Alternatively, Olle Johannson has some patches that allow multiple instances of chan_sip to be loaded simultaneously; this could also be used to provide the sort of 'multiple binding' being talked about here. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com & www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
In article <4f324279.70...@message-id.plonk.de>, Jakob Hirsch wrote: > Raj Mathur (राठमाथà¥à¤°), 2012-02-08 03:27: > > Packets not going out on the same interface as the one they were > > received on is a general IP issue, not just for connectionless > > Right, this was a inaccuracy. It should say "Asterisk does not reply > with the IP address with which packets were received". Asterisk (as most > applications) does not care about network interfaces, it just handles IP > addresses. > > > protocols. The same behaviour can be seen with TCP too. Unless you > > mangle with iptables or something, all information about the received > > A tcp connection is defined by the tuple (source host&port, destination > host&port), so if you write to a tcp socket, the kernel knows which > source address it has to use (and also which destination address, so the > application doesn't need to know that at all). > As there's no such relation in udp, the application has to provide the > destination address. The kernel then decides which source address to > use, as long as the application did not bind() to a specific address. This is why some UDP servers such as for DNS and NTP create a separate socket bound specifically to each local IP address. Then by sending a response via the same socket as the request was received on, it can be reasonably sure that the response will go out on the right interface. Maybe Asterisk does or could do the same. I haven't checked. Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
Raj Mathur (राज माथुर), 2012-02-08 03:27: > Packets not going out on the same interface as the one they were > received on is a general IP issue, not just for connectionless Right, this was a inaccuracy. It should say "Asterisk does not reply with the IP address with which packets were received". Asterisk (as most applications) does not care about network interfaces, it just handles IP addresses. > protocols. The same behaviour can be seen with TCP too. Unless you > mangle with iptables or something, all information about the received A tcp connection is defined by the tuple (source host&port, destination host&port), so if you write to a tcp socket, the kernel knows which source address it has to use (and also which destination address, so the application doesn't need to know that at all). As there's no such relation in udp, the application has to provide the destination address. The kernel then decides which source address to use, as long as the application did not bind() to a specific address. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On Tuesday 07 Feb 2012, Jakob Hirsch wrote: > Steve Edwards, 2012-02-06 01:43: > > Unfortunately, (IIRC) Asterisk does not reply to the same interface > > packets are received from which limits the usefulness of multiple > > interfaces. > > Right, that's what I also observed. We had to take special measures > to handle this. The problem lies in the nature of connectionless > protocols as UDP. We also use freeradius, which does it right by > itself (but still needs a compile time switch "--with-udpfromto" for > it). Packets not going out on the same interface as the one they were received on is a general IP issue, not just for connectionless protocols. The same behaviour can be seen with TCP too. Unless you mangle with iptables or something, all information about the received interface has been stripped from the packet by the time it reaches the IP layer. Regards, -- Raj -- Raj Mathur || r...@kandalaya.org || GPG: http://otheronepercent.blogspot.com || http://kandalaya.org || CC68 It is the mind that moves || http://schizoid.in || D17F -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On 07/02/12 05:29, Gordon Messmer wrote: > On 02/06/2012 03:27 PM, Josh wrote: >>> Why do you see binding to 0.0.0.0 to be a security risk? >> Purely because a response from Asterisk can be received as a result of a >> connection on *any* interface on the system/machine. If I have Asterisk >> confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1) >> then a request over a third/subsequent interface cannot be served - it >> is not normally possible. >> >> When Asterisk binds to 0.0.0.0 that is not the case and request over a >> third/subsequent interface *can* be served by Asterisk (provided the >> routing is setup properly, that is). > > All of that is true, but none of it appears to be a security concern, > specifically. If you are connecting to the public internet, then it is much more important to think about a) do you really expose your Asterisk directly, or hide it behind a SIP router such as Kamailio? b) should you be using TLS (which is connection oriented and secured with certificates) rather than UDP? Everyone who connects with a cert has been screened in some way by a CA. c) if using TLS (or even just TCP), why not have the extra security of a port-forwarding from a firewall to the Asterisk TLS port? Then no other ports or addresses on the Asterisk box are exposed. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On 07-02-12 18:41, Josh wrote: [snip] Thanks, another mystery solved then - Asterisk does rely on the Linux/Unix routing, in which case I would definitely need to take care of the SNAT/DNAT and proper routing/forwarding of packets between interfaces using core Linux/Unix tools. Am I correct in thinking that? Yes. Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
All of that is true, but none of it appears to be a security concern, specifically. For you, may be, but from where I am sitting, I don't want to rely solely on netfilter/iptables to protect me when I could physically restrict Asterisk from binding to that interface (and answering such requests) - that will serve me well in the event netfilter/iptables is somehow compromised (see my previous post). It's possible for an application to bind a socket to a specific interface, but very few do. Generally speaking, server applications bind a socket to an address. The kernel decides what interface that packets are sent on. Normally that will be the interface that has the lowest cost default route, not necessarily the one on which a connection was initiated. That is why I noted previously that you have to use connection tracking, packet mangling, and ip rules for multi-homed hosts. If you've never verified that your packets are being routed out the interface you expect (probably with tcpdump), perhaps you should. Yeah, that was already clarified by another poster - I assumed (wrongly, as it turned out) that Asterisk, somehow, could "automagically" take care of directing sip/voip packets between interfaces and also take care of all the other related issues. As I understand it now, I will have to reconfigure this myself by using the standard Linux/Unix tools (ip & iptables mostly). Thanks for the clarification yet again! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
As far as I know, Asterisk would use the default Linux/Unix routing algorithms to send packets out, in which case yes: responses may not go out on the same interface packets were received on. E.g. if you receive packets with non-LAN IP addresses on eth0, while your default route is set to eth1, in the absence of custom routing Linux will send the responses over eth1. Thanks, another mystery solved then - Asterisk does rely on the Linux/Unix routing, in which case I would definitely need to take care of the SNAT/DNAT and proper routing/forwarding of packets between interfaces using core Linux/Unix tools. Am I correct in thinking that? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
Steve Edwards, 2012-02-06 01:43: > Unfortunately, (IIRC) Asterisk does not reply to the same interface > packets are received from which limits the usefulness of multiple > interfaces. Right, that's what I also observed. We had to take special measures to handle this. The problem lies in the nature of connectionless protocols as UDP. We also use freeradius, which does it right by itself (but still needs a compile time switch "--with-udpfromto" for it). -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On 02/06/2012 03:27 PM, Josh wrote: Why do you see binding to 0.0.0.0 to be a security risk? Purely because a response from Asterisk can be received as a result of a connection on *any* interface on the system/machine. If I have Asterisk confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1) then a request over a third/subsequent interface cannot be served - it is not normally possible. When Asterisk binds to 0.0.0.0 that is not the case and request over a third/subsequent interface *can* be served by Asterisk (provided the routing is setup properly, that is). All of that is true, but none of it appears to be a security concern, specifically. If you have 3 or more interfaces (or you need to just bind to some subset), you should have the skills to configure 'iptables.' I do, but that is not the point - do you rely on microsoft for the security of your own desktop system (if you have one running windows that is) or do you take it into your own hands and make sure it is properly implemented? I don't know about you, but I am firmly in the latter category. As am I, but that has nothing to do with socket binding. The simile doesn't even make sense. Unfortunately, (IIRC) Asterisk does not reply to the same interface packets are received from which limits the usefulness of multiple interfaces. What do you mean by that? If a request is received over eht1 are you saying that Asterisk does not respond over the same interface?! It's possible for an application to bind a socket to a specific interface, but very few do. Generally speaking, server applications bind a socket to an address. The kernel decides what interface that packets are sent on. Normally that will be the interface that has the lowest cost default route, not necessarily the one on which a connection was initiated. That is why I noted previously that you have to use connection tracking, packet mangling, and ip rules for multi-homed hosts. If you've never verified that your packets are being routed out the interface you expect (probably with tcpdump), perhaps you should. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
On Tuesday 07 Feb 2012, Josh wrote: > [snip] > > Unfortunately, (IIRC) Asterisk does not reply to the same interface > > packets are received from which limits the usefulness of multiple > > interfaces. > > What do you mean by that? If a request is received over eht1 are you > saying that Asterisk does not respond over the same interface?! As far as I know, Asterisk would use the default Linux/Unix routing algorithms to send packets out, in which case yes: responses may not go out on the same interface packets were received on. E.g. if you receive packets with non-LAN IP addresses on eth0, while your default route is set to eth1, in the absence of custom routing Linux will send the responses over eth1. There are ways to overcome this for specific situations, but no general method that I'm aware of (though I'm happy to be corrected). Regards, -- Raj -- Raj Mathur || r...@kandalaya.org || GPG: http://otheronepercent.blogspot.com || http://kandalaya.org || CC68 It is the mind that moves || http://schizoid.in || D17F -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
While usually thread hijacking is not something that should be done, in this case thank you for hijacking it as the OP on his original topic was way off topic. Why is that - I think I posted legitimate questions/queries with regards to the installation, configuration and running of Asterisk - how is that "off-topic"? Asterisk can quite nicely deal with NAT provided you set it up right. That said the answer to your question is it doable? yes it is. Next time do lots of hands on and you'll see for yourself. The reason I see this as off topic is because it was mainly routing questions you had which is linux and not asterisk. I disagree - my original questions were with regards to installing, setting up and using Asterisk in a multi-interface environment (NAT, as well as restricting Asterisk to which interface it needs to bind to is part of that process as far as I know). My questions are not how to do general NAT - I am perfectly capable of implementing that, having over 18 years experience with that sort of thing, thank you. My questions were more on how/whether Asterisk deals (or whether is capable of dealing) with NAT and all the other issues I raised in my initial post. One last thing though - drop the attitude - if you are not willing/capable of contributing anything to this thread just move along - there is nothing to see here. Everyone knows? Not me. From Steves post I understand that neither does he know. Do you mind explaining this? See my previous post. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
Why do you see binding to 0.0.0.0 to be a security risk? Purely because a response from Asterisk can be received as a result of a connection on *any* interface on the system/machine. If I have Asterisk confined to, say, 2 interfaces - eth0 (10.1.1.1) and eth1 (10.2.1.1) then a request over a third/subsequent interface cannot be served - it is not normally possible. When Asterisk binds to 0.0.0.0 that is not the case and request over a third/subsequent interface *can* be served by Asterisk (provided the routing is setup properly, that is). If you only have 1 interface, what's the difference? I don't as evident from my initial post. If you have 2 interfaces, just bind to one or the other. I don't - see above. If you have 3 or more interfaces (or you need to just bind to some subset), you should have the skills to configure 'iptables.' I do, but that is not the point - do you rely on microsoft for the security of your own desktop system (if you have one running windows that is) or do you take it into your own hands and make sure it is properly implemented? I don't know about you, but I am firmly in the latter category. Unfortunately, (IIRC) Asterisk does not reply to the same interface packets are received from which limits the usefulness of multiple interfaces. What do you mean by that? If a request is received over eht1 are you saying that Asterisk does not respond over the same interface?! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Binding to 0.0.0.0 a security risk?
While usually thread hijacking is not something that should be done, in this case thank you for hijacking it as the OP on his original topic was way off topic. First for the OPs original question. Everything with IP routing up to layer 4 is handled by linux not by asterisk. However, sip might have some signaling and/or headers that include an IP address on something higher than layer 3 which is where asterisk comes in play. Asterisk can quite nicely deal with NAT provided you set it up right. That said the answer to your question is it doable? yes it is. Next time do lots of hands on and you'll see for yourself. The reason I see this as off topic is because it was mainly routing questions you had which is linux and not asterisk. On Sun, Feb 5, 2012 at 7:43 PM, Steve Edwards wrote: > On Sun, 5 Feb 2012, Josh wrote: > >> I am a bit baffled though - Asterisk has existed for quite a while now and >> I am not sure why this wasn't implemented sooner - everyone knows that using >> 0.0.0.0 is a security risk. Everyone knows? Not me. From Steves post I understand that neither does he know. Do you mind explaining this? > > > Why do you see binding to 0.0.0.0 to be a security risk? > > If you only have 1 interface, what's the difference? > > If you have 2 interfaces, just bind to one or the other. > > If you have 3 or more interfaces (or you need to just bind to some subset), > you should have the skills to configure 'iptables.' > > Unfortunately, (IIRC) Asterisk does not reply to the same interface packets > are received from which limits the usefulness of multiple interfaces. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Binding to 0.0.0.0 a security risk?
On Sun, 5 Feb 2012, Josh wrote: I am a bit baffled though - Asterisk has existed for quite a while now and I am not sure why this wasn't implemented sooner - everyone knows that using 0.0.0.0 is a security risk. Why do you see binding to 0.0.0.0 to be a security risk? If you only have 1 interface, what's the difference? If you have 2 interfaces, just bind to one or the other. If you have 3 or more interfaces (or you need to just bind to some subset), you should have the skills to configure 'iptables.' Unfortunately, (IIRC) Asterisk does not reply to the same interface packets are received from which limits the usefulness of multiple interfaces. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
