Asterisk Stability & Security Protect your investment

Click here to load reader

  • date post

    26-Dec-2015
  • Category

    Documents

  • view

    215
  • download

    0

Embed Size (px)

Transcript of Asterisk Stability & Security Protect your investment

  • Slide 1
  • Asterisk Stability & Security Protect your investment
  • Slide 2
  • Introduction What if the server goes down ? What if someone hacks into your 8 e1 asterisk server and makes calls to inmarsat ? Inmarsat : 5 euro / min. In 24 hours, on 8 e1s 1728000 euro In 24 hours, on 8 e1s 1728000 euro
  • Slide 3
  • Overview Asterisk Performance Update Asterisk Stability Asterisk Security Asterisk Monitoring
  • Slide 4
  • Asterisk Performance Update Updates since Astricon 2004: - Smaller memory footprint - Smaller memory footprint - Less file descriptors used - Less file descriptors used - Memory leaks found / removed - Memory leaks found / removed - Less RTP ports opened - Less RTP ports opened - Codec optimizations (especially Speex) - Codec optimizations (especially Speex) - Hardware echo canceller - Hardware echo canceller - FastAGI - FastAGI - Realtime - Realtime - Remote MOH - Remote MOH - ds3000 / te411p - ds3000 / te411p - Channel walk optimization - Channel walk optimization
  • Slide 5
  • Slide 6
  • Astertest Testlab
  • Slide 7
  • Astertest Cables
  • Slide 8
  • Overview Asterisk Performance Update Asterisk Stability Asterisk server monitoring Asterisk Security
  • Slide 9
  • Asterisk Stability Hardware reliability Software stability
  • Slide 10
  • Asterisk Stability Hardware Reliability What is the cost of having no PBX service for your company ? What if you are an ISP and your customers cant dial out ?
  • Slide 11
  • Slide 12
  • Slide 13
  • Asterisk Stability Hardware Reliability What if you experience: - power outage ? - a broken HD ? - a broken Zaptel card ? - a broken server ? - no Internet connectivity ?
  • Slide 14
  • Asterisk Stability Hardware Reliability Power outage: Traditional phones are self powered. Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router, If you have a low power PBX, the phone system could run for hours on a small UPS. Dont use Ethernet over power for mission critical phone lines.
  • Slide 15
  • Asterisk Stability Hardware Reliability A broken HD ? Use raid > 0 SCSI has a bigger mean time to failure. Flashdisks, realtime, netboot, live CDs.
  • Slide 16
  • Slide 17
  • Asterisk Stability Hardware Reliability A broken Zaptel card or a broken server ? Make sure you have a replacement, (maybe even hot standby) with all the modules you need, jumpers already set,
  • Slide 18
  • Asterisk Stability Hardware Reliability No Internet connectivity ? Spare router / modem / switch ? Failover Internet connection ? Failover to / from PSTN ?
  • Slide 19
  • Label all cables!!
  • Slide 20
  • Asterisk Stability / Quality Updates Software related since Astricon 04 Real CVS-stable / CVS-head (Thanks Russell!) Major cleanups / code audits. New h323 channel coming (chan_ooh323) Packet Loss Concealment IAX2 / SIP jitter buffer (mantis 3854) A lot of libpri, chan_sip, chan_h323 changes for better compatibility / stability. DUNDi (easier load balancing with round robin DNS) OSP Kernel 2.6.11.x
  • Slide 21
  • Changes in hardware reliability New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, ). New drivers with a lot of bug fixes and optimizations. End of life for x100p and Tormenta cards. Hardware echo cancellers -> lower CPU load -> more calls it can handle before asterisk turns unstable.
  • Slide 22
  • * reliability / stability recommendations Use decent but not exotic hardware Put Zaptel on a different PCI-bus than Nics and video cards. Read tutorials on interrupts, APIC and other common problems. Load test your setup Design a failover system Noload unused modules Use recent firmware Zaptel cards
  • Slide 23
  • * reliability / stability recommendations Use a stable Asterisk version. Take a common OS -> Linux. Test software upgrades in a test lab. Stay away from experimental Asterisk modules -> h323, skinny. Dont patch production Asterisk servers. Keep your old Asterisk binaries after an upgrade for easy restore of known working versions.
  • Slide 24
  • Overview Asterisk Performance Update Asterisk Stability Asterisk server monitoring Asterisk Security
  • Slide 25
  • Asterisk server monitoring NAGIOS http://karlsbakk.net/asterisk/ http://karlsbakk.net/asterisk/ http://megaglobal.net/docs/asterisk/html/as teriskmonitor.html http://megaglobal.net/docs/asterisk/html/as teriskmonitor.html http://megaglobal.net/docs/asterisk/html/as teriskmonitor.html Argus: http://argus.tcp4me.com/ http://argus.tcp4me.com/ SNMP: http://www.faino.it/en/asterisk.html http://www.faino.it/en/asterisk.html
  • Slide 26
  • Overview Asterisk Performance Update Asterisk Stability Asterisk server monitoring Asterisk Security
  • Slide 27
  • Asterisk Security Asterisk Configuration stupidity Asterisk hardening Privacy protection
  • Slide 28
  • Asterisk Configuration Stupidity Dial plan security SIP.conf IAX2.conf Manager.conf Billing problems
  • Slide 29
  • Dial plan security - Extension hopping - CallerID based protections - _. - Demo context - User access to the dial plan - Be careful with the default context - Limit simultaneous calls
  • Slide 30
  • Extension hopping User can reach ANY extension in the current context: [internal] exten => intro,1,Background(question); exten => 1,spanish,Goto(Spanish) exten => 2,english,Goto(English) exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
  • Slide 31
  • CallerID based protection exten => _X.,1,GotoIf($[${CALLERIDNUM}=32134?3); exten => _X.,2,Hangup(); exten => _X.,3,Dial(${EXTEN}); When not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!
  • Slide 32
  • Inappropriate use of _. _. Would match EVERYTHING! (also fax, hang up, invalid, timeout,.) Example: exten => _.,1,Playback(blah); exten => _.,2,Hangup; Causing a FAST LOOP. (changed in CVS-head)
  • Slide 33
  • demo context Not a real security risk But Someone might play with your system and use up your bandwidth, make prank calls to Digium, make Mark Spencer very unhappy and cause him to introduce you to a very big shotgun
  • Slide 34
  • Slide 35
  • User access to the dialplan - AMP and other GUIs might allow the ISPs user to change a dial plan in his own context. E.g.: hosted PBXs - Goto / GotoIf / dial(Local/) -> context hopping. - System -> could do anything
  • Slide 36
  • Default context Example: [default] Include outgoing; Include internal; OH OH OH, guest calls will go to the default context!!!!!
  • Slide 37
  • Context usage: A call has two legs, the used context is the context defined for that user/channel in the config file for that protocol. E.g: - Zap to sip call: context set in zapata.conf is used - SIP to IAX2 call: context in sip.conf is used context in sip.conf is used
  • Slide 38
  • Context usage: In sip.conf, zapata.conf, iax2.conf A default context is defined, if there is no specific context setting for this channel or user, than the default context is used!
  • Slide 39
  • Limit simultaneous calls Sometimes you dont want a user to make multiple simultaneous calls. E.g.: prepay / calling cards Solution: setgroup, checkgroup (dont trust incominglimit.) exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1) Only good if the CallerID cannot be spoofed !!!! Consider using accountcode for this.
  • Slide 40
  • Sip.conf Default context Bindport, bindhost, bindip [username] vs username= Permit, deny, mask Insecure=yes, very, no User vs peer vs friend Allowguest Autocreatepeer Pedantic Ospauth Realm Md5secret User authentication logic Username= vs [username]
  • Slide 41
  • Bindport, bindhost,bindip If you only use sip for internal calls, dont put bindip=0.0.0.0 but limit it to the internal IP. Changing the bindport to a non 5060 port might save you from portscan sweeps for this port.
  • Slide 42
  • Permit, deny, mask Disallow everything, then allow per user the allowed hosts or ranges. (Multiple are allowed.)
  • Slide 43
  • SIP.conf insecure option Insecure = No: the default, always ask for authentication Yes: To match a peer based by IP address only and not peer. Insecure=very ; allows registered hosts to call without re-authenticating, by ip address Insecure=port; we dont care if the portnumber is different than when they registered Insecure=invite; every invite is accepted.
  • Slide 44
  • User vs Peer vs Friend in SIP USER: never registers only makes calls PEER: can register + can make calls. [user1]type=user[user1]type=peer Is allowed and the same as type=friend if the other parameters are identical!!!
  • Slide 45
  • Allowguest= True: unauthenticated users will arrive in the default context as defined in sip.