RE: [asterisk-users] How do you harden an Asterisk install?
-Original Message- From: Jean-Michel Hiver [mailto:[EMAIL PROTECTED] Sent: Friday, July 14, 2006 10:52 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How do you harden an Asterisk install? shadowym a écrit : I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. Maybe use a solid-state fanless computer, with no moving parts? It means a low power consumption CPU (probably Via), a good thermal design, and a solid state disk (flash disk or CF + Adapter). Cheers, Jean-Michel. I have given that serious thought for smaller installations. Astlinux on an Itx using CF apparently works very very well! My testing of Astlinux on 586 using CF has gone quite well. Can't use FreePBX or most other GUI's though but it's a good compromise. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
On Thu, Jul 13, 2006 at 11:53:19PM -0500, Rich Adamson wrote: shadowym wrote: Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. From a linux command line, run netstat -a or netstat -an and netstat -lnut or (less nicer for formatting, requires root, but gives more data) netstat -lnutp -l: only listening ports. Why bother with existing connections? -n: numbers instead of names -u: udp, -t: tcp: because you don't want to see all the unix-domain sockets. Alternatively: --ip -p: will tell you which process listen on the port identify every tcp udp port that has a state of listen. You'll probably find several that you were not aware of. Research what the ports are used for and disable as needed. If you don't / can't disable the function using the port, then use a firewall or router access list to block internet folks from accessing the machine on those ports. Or, download and run nmap to identify open ports remotely. Download and run nessus (security scanner) against your server. There are many old versions of Nessus floating around. An old scanner's OK is not that good. Review your asterisk config files and make sure you understand exactly what default contexts are implemented, and address those as needed. Don't provide access through protocols that are not required from other hosts. Specifically the manager interface. Subscribe to any of several security lists that track linux distro vulnerabilities and patch your distro as needed. One such advisory service is available at http://secunia.com/advisories . Even more important: base yourself on a distribution that fixes the security problems for you. You will never have the resources to track, test and apply all of those fixes, unless you're a full-time-job security consultant. -- Tzafrir Cohen sip:[EMAIL PROTECTED] icq#16849755 iax:[EMAIL PROTECTED] +972-50-7952406 jabber:[EMAIL PROTECTED] [EMAIL PROTECTED] http://www.xorcom.com ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
Tzafrir Cohen wrote: On Thu, Jul 13, 2006 at 11:53:19PM -0500, Rich Adamson wrote: shadowym wrote: Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. From a linux command line, run netstat -a or netstat -an and netstat -lnut or (less nicer for formatting, requires root, but gives more data) netstat -lnutp -l: only listening ports. Why bother with existing connections? -n: numbers instead of names -u: udp, -t: tcp: because you don't want to see all the unix-domain sockets. Alternatively: --ip -p: will tell you which process listen on the port identify every tcp udp port that has a state of listen. You'll probably find several that you were not aware of. Research what the ports are used for and disable as needed. If you don't / can't disable the function using the port, then use a firewall or router access list to block internet folks from accessing the machine on those ports. Or, download and run nmap to identify open ports remotely. Download and run nessus (security scanner) against your server. There are many old versions of Nessus floating around. An old scanner's OK is not that good. Review your asterisk config files and make sure you understand exactly what default contexts are implemented, and address those as needed. Don't provide access through protocols that are not required from other hosts. Specifically the manager interface. Subscribe to any of several security lists that track linux distro vulnerabilities and patch your distro as needed. One such advisory service is available at http://secunia.com/advisories . Even more important: base yourself on a distribution that fixes the security problems for you. You will never have the resources to track, test and apply all of those fixes, unless you're a full-time-job security consultant. Oh, and I forgot in my post to comment on disabling those modules that are not actually needed in your specific implementation. Review the show modules output and noload those not needed in modules.conf. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
Sorry - I misread it. Have you ever had a network card fail in a way that did not lock up every network-bound job on the system? I would think that it would be unlikely that you could recover from that easily. Yes, redundant drives with RAID-1 is good. If those drives are hot-swappable and the RAID is hardware-based, it is even better. Having a dual-processor setup is also good - I know many servers that have had a CPU die and still worked OK with only 1. Redundant power supplies are good, but only if they are hooked up to separate UPS's. W shadowym wrote: Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
Rich Adamson wrote: [-snip-] Then, back up your config files on something else and wait for your server to be compromised. ;) For cases where you expect something to be compromised, and potentially overwritten, perhaps by an automated script, a trick that I have found worthy of using is to move all of the writable files to somewhere (should be /var) and put all of the read-only files under a single directory structure. Then take that structure and make an iso file system out of it with mkisofs. Now remove that filesystem and just leave an empty copy of the root directory. From then on, mount the iso file read only onto the root directory using the loopback device onto the directory in question on boot before the service starts to run. W ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
shadowym a écrit : I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. Maybe use a solid-state fanless computer, with no moving parts? It means a low power consumption CPU (probably Via), a good thermal design, and a solid state disk (flash disk or CF + Adapter). Cheers, Jean-Michel. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
For the NIC setup you can bond 2 cards together for redundency. Take a look here for some more info on bonding. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN On 7/13/06, shadowym [EMAIL PROTECTED] wrote: I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. For clarity, what I mean by hardening is to make an Asterisk Server or network appliance or embedded server or whatever you want to call it, as fail safe, stable, and reliable as possible. Just like an expensive traditional PBX. This is for a small business application of 50 extensions or less. It can't be too crazy like redundant servers or anything like that. I am looking for ideas like RAID 1, redundant power supply, cron job to reboot every night (yuck!), disable caching(?), Astlinux on embedded with CF, yada yada! Anyway to set up automatic failover to a second Network Card with same IP if primary network card fails? That is one point of failure I haven't found a way around yet. Failure of the managed switch is another one I get a bit paranoid about. Switches generally don't fail but I'd like to have some sort of fail safe plan. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Tom Vile Baldwin Technology Solutions, Inc Consulting - Web Design - VoIP Telephony www.baldwintechsolutions.com Phone: 518-631-2855 x205 Fax: 518-631-2856 ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
shadowym wrote: I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. For clarity, what I mean by hardening is to make an Asterisk Server or network appliance or embedded server or whatever you want to call it, as fail safe, stable, and reliable as possible. Just like an expensive traditional PBX. This is for a small business application of 50 extensions or less. It can't be too crazy like redundant servers or anything like that. I am looking for ideas like RAID 1, redundant power supply, cron job to reboot every night (yuck!), disable caching(?), Astlinux on embedded with CF, yada yada! Anyway to set up automatic failover to a second Network Card with same IP if primary network card fails? That is one point of failure I haven't found a way around yet. Failure of the managed switch is another one I get a bit paranoid about. Switches generally don't fail but I'd like to have some sort of fail safe plan. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users You are talking about 2 things: (1) How to harden a linux box (2) How to do failover. for (1), be sure telnet, ftp and any other service you do not need is off. Move standard services to non-standard ports, especially web and ssh. Do not run a name server on the box. For (2): You need to have a secondary box that runs a mirror copy of Asterisk and mysql and pretty much has everything else configured the same. mysql should be replicated to the second box. You then run a program on the second box that pings the first box. If the first box fails the second takes over the first box's IP and runs with it. There are heartbeat programs that can help out with this. W ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [asterisk-users] How do you harden an Asterisk install?
Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. -Original Message- From: Warren (mailing lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 12:36 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How do you harden an Asterisk install? shadowym wrote: I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. For clarity, what I mean by hardening is to make an Asterisk Server or network appliance or embedded server or whatever you want to call it, as fail safe, stable, and reliable as possible. Just like an expensive traditional PBX. This is for a small business application of 50 extensions or less. It can't be too crazy like redundant servers or anything like that. I am looking for ideas like RAID 1, redundant power supply, cron job to reboot every night (yuck!), disable caching(?), Astlinux on embedded with CF, yada yada! Anyway to set up automatic failover to a second Network Card with same IP if primary network card fails? That is one point of failure I haven't found a way around yet. Failure of the managed switch is another one I get a bit paranoid about. Switches generally don't fail but I'd like to have some sort of fail safe plan. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users You are talking about 2 things: (1) How to harden a linux box (2) How to do failover. for (1), be sure telnet, ftp and any other service you do not need is off. Move standard services to non-standard ports, especially web and ssh. Do not run a name server on the box. For (2): You need to have a secondary box that runs a mirror copy of Asterisk and mysql and pretty much has everything else configured the same. mysql should be replicated to the second box. You then run a program on the second box that pings the first box. If the first box fails the second takes over the first box's IP and runs with it. There are heartbeat programs that can help out with this. W ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
For the NIC setup you can bond 2 cards together for redundency. Take a look here for some more info on bonding. http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN On 7/13/06, shadowym [EMAIL PROTECTED] wrote: Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. -Original Message- From: Warren (mailing lists) [mailto:[EMAIL PROTECTED] Sent: Thursday, July 13, 2006 12:36 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How do you harden an Asterisk install? shadowym wrote: I remember reading a small write up somewhere. I think it was on the Asterisk Wiki. I can't find it anymore. It's probably a bit dated by now but some of it would still be relevant. Can anyone recommend a good guide or even some of their own suggestions. For clarity, what I mean by hardening is to make an Asterisk Server or network appliance or embedded server or whatever you want to call it, as fail safe, stable, and reliable as possible. Just like an expensive traditional PBX. This is for a small business application of 50 extensions or less. It can't be too crazy like redundant servers or anything like that. I am looking for ideas like RAID 1, redundant power supply, cron job to reboot every night (yuck!), disable caching(?), Astlinux on embedded with CF, yada yada! Anyway to set up automatic failover to a second Network Card with same IP if primary network card fails? That is one point of failure I haven't found a way around yet. Failure of the managed switch is another one I get a bit paranoid about. Switches generally don't fail but I'd like to have some sort of fail safe plan. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users You are talking about 2 things: (1) How to harden a linux box (2) How to do failover. for (1), be sure telnet, ftp and any other service you do not need is off. Move standard services to non-standard ports, especially web and ssh. Do not run a name server on the box. For (2): You need to have a secondary box that runs a mirror copy of Asterisk and mysql and pretty much has everything else configured the same. mysql should be replicated to the second box. You then run a program on the second box that pings the first box. If the first box fails the second takes over the first box's IP and runs with it. There are heartbeat programs that can help out with this. W ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] How do you harden an Asterisk install?
shadowym wrote: Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good though. I already do that. I am hoping someone has some suggestions that are not as obvious that I have perhaps not thought of. From a linux command line, run netstat -a or netstat -an and identify every tcp udp port that has a state of listen. You'll probably find several that you were not aware of. Research what the ports are used for and disable as needed. If you don't / can't disable the function using the port, then use a firewall or router access list to block internet folks from accessing the machine on those ports. Or, download and run nmap to identify open ports remotely. Download and run nessus (security scanner) against your server. Review your asterisk config files and make sure you understand exactly what default contexts are implemented, and address those as needed. iax2 and sip access to the server match certain parameters defined in each context, looking for a match that might include username, secret, IP address, etc. Understand the matching logic and make sure each defined context is used the way it is supposed to be used. (There are likely a fairly large number of asterisk boxes with contexts defined where the implementor thought it was being used, but a different context is actually being used.) Implement the deny and permit statements where it makes sense to do so, limiting access to a specific IP address or network. Use lengthy secrets in your sip and iax definitions as its not all that hard to write code that will repeatedly guess them. (For example, there are apps that can be downloaded to guess account passwords in Microsoft domains. One such app that I tested a while back guessed a users five-character password in less then five seconds. Changing his password to eight characters required an hour to guess it, and changing the password to eight characters with special symbols required over 24 hours.) You might also read the sample conf files and look for a parameter that addresses how many incorrect secrets asterisk can see before it slows its responses, essentially minimizing the impact of password guessing apps. Subscribe to any of several security lists that track linux distro vulnerabilities and patch your distro as needed. One such advisory service is available at http://secunia.com/advisories . Use asterisk security with google and you'll see several references to white papers, wiki pages, etc, for additional items. Then, back up your config files on something else and wait for your server to be compromised. ;) R. ___ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users