Asterisk Stability & Security Protect your investment.

Asterisk Stability & SecurityAsterisk Stability & Security

Protect your investmentProtect your investment

IntroductionIntroduction

What if the server goes down ?What if the server goes down ? What if someone hacks into your 8 e1 What if someone hacks into your 8 e1

asterisk server and makes calls to asterisk server and makes calls to inmarsat ?inmarsat ?

Inmarsat : 5 euro / min.Inmarsat : 5 euro / min.

In 24 hours, on 8 e1s In 24 hours, on 8 e1s 1728000 euro 1728000 euro

OverviewOverview

Asterisk Performance UpdateAsterisk Performance Update Asterisk StabilityAsterisk Stability Asterisk SecurityAsterisk Security Asterisk MonitoringAsterisk Monitoring

Asterisk Performance UpdateAsterisk Performance Update

Updates since Astricon 2004:Updates since Astricon 2004: - Smaller memory footprint- Smaller memory footprint

- Less file descriptors used- Less file descriptors used - Memory leaks found / removed- Memory leaks found / removed - Less RTP ports opened- Less RTP ports opened - Codec optimizations (especially Speex)- Codec optimizations (especially Speex) - Hardware echo canceller- Hardware echo canceller - FastAGI- FastAGI - Realtime- Realtime - Remote MOH- Remote MOH - ds3000 / te411p- ds3000 / te411p - Channel walk optimization- Channel walk optimization

Astertest TestlabAstertest Testlab

Astertest CablesAstertest Cables

OverviewOverview

Asterisk Performance UpdateAsterisk Performance Update Asterisk StabilityAsterisk Stability Asterisk server monitoringAsterisk server monitoring Asterisk SecurityAsterisk Security

Asterisk StabilityAsterisk Stability

Hardware reliabilityHardware reliability

Software stabilitySoftware stability

Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability

What is the cost of having no PBX service What is the cost of having no PBX service for your company ?for your company ?

What if you are an ISP and your What if you are an ISP and your customers can’t dial out ?customers can’t dial out ?


What if you experience: What if you experience:

- power outage ?- power outage ?

- a broken HD ?- a broken HD ?

- a broken Zaptel card ?- a broken Zaptel card ?

- a broken server ?- a broken server ?

- no Internet connectivity ?- no Internet connectivity ?


Power outage:Power outage:

Traditional phones are self powered.Traditional phones are self powered.

Solution: use a UPS to power the (PoE) phones, Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router,… the switches, PBX, modem, router,…

If you have a low power PBX, the phone If you have a low power PBX, the phone system could run for hours on a small UPS.system could run for hours on a small UPS.

Don’t use Ethernet over power for mission Don’t use Ethernet over power for mission critical phone lines.critical phone lines.


A broken HD ?A broken HD ?

Use raid > 0Use raid > 0

SCSI has a bigger mean time to failure.SCSI has a bigger mean time to failure.

Flashdisks, realtime, netboot, live CD’s.Flashdisks, realtime, netboot, live CD’s.


A broken Zaptel card or a broken server ?A broken Zaptel card or a broken server ?

Make sure you have a replacement, Make sure you have a replacement, (maybe even hot standby) with all the (maybe even hot standby) with all the modules you need, jumpers already set,…modules you need, jumpers already set,…


No Internet connectivity ?No Internet connectivity ?

Spare router / modem / switch ?Spare router / modem / switch ?

Failover Internet connection ?Failover Internet connection ?

Failover to / from PSTN ?Failover to / from PSTN ?

Label all cables!!Label all cables!!

Asterisk Stability / Quality UpdatesAsterisk Stability / Quality UpdatesSoftware related since Astricon ‘04Software related since Astricon ‘04

Real CVS-stable / CVS-head (Thanks Russell!)Real CVS-stable / CVS-head (Thanks Russell!) Major cleanups / code audits.Major cleanups / code audits. New h323 channel coming (chan_ooh323)New h323 channel coming (chan_ooh323) Packet Loss ConcealmentPacket Loss Concealment IAX2 / SIP jitter buffer (mantis 3854)IAX2 / SIP jitter buffer (mantis 3854) A lot of libpri, chan_sip, chan_h323 changes for A lot of libpri, chan_sip, chan_h323 changes for

better compatibility / stability.better compatibility / stability. DUNDi (easier load balancing with round robin DUNDi (easier load balancing with round robin

DNS)DNS) OSPOSP Kernel 2.6.11.xKernel 2.6.11.x

Changes in hardware reliabilityChanges in hardware reliability

New Zaptel hardware (te411p, te4xxp, New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, …).TDM, IAXy2, …).

New drivers with a lot of bug fixes and New drivers with a lot of bug fixes and optimizations.optimizations.

End of life for x100p and Tormenta cards.End of life for x100p and Tormenta cards. Hardware echo cancellers -> lower CPU Hardware echo cancellers -> lower CPU

load -> more calls it can handle before load -> more calls it can handle before asterisk turns unstable.asterisk turns unstable.

* reliability / stability recommendations* reliability / stability recommendations

Use decent but not exotic hardwareUse decent but not exotic hardware Put Zaptel on a different PCI-bus than Nics and Put Zaptel on a different PCI-bus than Nics and

video cards.video cards. Read tutorials on interrupts, APIC and other Read tutorials on interrupts, APIC and other

common problems.common problems. Load test your setupLoad test your setup Design a failover systemDesign a failover system Noload unused modulesNoload unused modules Use recent firmware Zaptel cardsUse recent firmware Zaptel cards

* reliability / stability recommendations* reliability / stability recommendations

Use a stable Asterisk version.Use a stable Asterisk version. Take a common OS -> Linux.Take a common OS -> Linux. Test software upgrades in a test lab.Test software upgrades in a test lab. Stay away from experimental Asterisk Stay away from experimental Asterisk

modules -> h323, skinny.modules -> h323, skinny. Don’t patch production Asterisk servers.Don’t patch production Asterisk servers. Keep your old Asterisk binaries after an Keep your old Asterisk binaries after an

upgrade for easy restore of known working upgrade for easy restore of known working versions.versions.

OverviewOverview


Asterisk server monitoringAsterisk server monitoring

NAGIOSNAGIOS http://karlsbakk.net/asterisk/http://karlsbakk.net/asterisk/

http://megaglobal.net/docs/asterisk/html/ashttp://megaglobal.net/docs/asterisk/html/asteriskmonitor.htmlteriskmonitor.html

Argus: Argus: http://argus.tcp4me.com/http://argus.tcp4me.com/ SNMP: SNMP: http://www.faino.it/en/asterisk.htmlhttp://www.faino.it/en/asterisk.html

http://karlsbakk.net/asterisk/

http://megaglobal.net/docs/asterisk/html/asteriskmonitor.html

http://megaglobal.net/docs/asterisk/html/asteriskmonitor.html

http://argus.tcp4me.com/

http://www.faino.it/en/asterisk.html

OverviewOverview


Asterisk SecurityAsterisk Security

Asterisk Configuration stupidityAsterisk Configuration stupidity Asterisk hardeningAsterisk hardening Privacy protectionPrivacy protection

Asterisk Configuration StupidityAsterisk Configuration Stupidity

Dial plan securityDial plan security SIP.confSIP.conf IAX2.confIAX2.conf Manager.confManager.conf Billing problemsBilling problems

Dial plan securityDial plan security

- Extension hopping- Extension hopping - CallerID based protections- CallerID based protections - _.- _. - Demo context- Demo context - User access to the dial plan- User access to the dial plan - Be careful with the default context- Be careful with the default context - Limit simultaneous calls- Limit simultaneous calls

Extension hoppingExtension hopping

User can reach ANY extension in the current User can reach ANY extension in the current context:context:

[internal][internal]exten => intro,1,Background(question);exten => intro,1,Background(question);exten => 1,spanish,Goto(Spanish)exten => 1,spanish,Goto(Spanish)exten => 2,english,Goto(English)exten => 2,english,Goto(English)

exten => _XX.,1,Dial(ZAP/g1/${EXTEN});exten => _XX.,1,Dial(ZAP/g1/${EXTEN});

CallerID based protectionCallerID based protection

exten => _X.,1,GotoIf($[“$exten => _X.,1,GotoIf($[“${CALLERIDNUM}”=“32134”?3);{CALLERIDNUM}”=“32134”?3);

exten => _X.,2,Hangup();exten => _X.,2,Hangup();

exten => _X.,3,Dial(${EXTEN});exten => _X.,3,Dial(${EXTEN});

When not explicitly defined for each When not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf, user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!the user can choose his own CallerID!

Inappropriate use of _.Inappropriate use of _.

_. Would match EVERYTHING!_. Would match EVERYTHING!(also fax, hang up, invalid, timeout,….)(also fax, hang up, invalid, timeout,….)

Example:Example:exten => _.,1,Playback(blah);exten => _.,1,Playback(blah);exten => _.,2,Hangup;exten => _.,2,Hangup; Causing a FAST LOOP.Causing a FAST LOOP.

(changed in CVS-head)(changed in CVS-head)

demo contextdemo context

Not a real security riskNot a real security risk But… Someone might play with your But… Someone might play with your

system and use up your bandwidth, make system and use up your bandwidth, make prank calls to Digium, make Mark Spencer prank calls to Digium, make Mark Spencer very unhappy and cause him to introduce very unhappy and cause him to introduce you to a very big shotgun…you to a very big shotgun…

User access to the dialplanUser access to the dialplan

- AMP and other GUI’s might allow the - AMP and other GUI’s might allow the ISP’s user to change a dial plan in his own ISP’s user to change a dial plan in his own context. E.g.: hosted PBX’scontext. E.g.: hosted PBX’s

- Goto / GotoIf / dial(Local/…) -> context - Goto / GotoIf / dial(Local/…) -> context hopping.hopping.

- System -> could do anything- System -> could do anything

Default contextDefault context

Example:Example:

[default][default]Include outgoing;Include outgoing;Include internal;Include internal;

OH OH OH, guest calls will go to the default OH OH OH, guest calls will go to the default context!!!!!context!!!!!

Context usage:Context usage:

A call has two legs, the used context is the A call has two legs, the used context is the context defined for that user/channel in the context defined for that user/channel in the config file for that protocol.config file for that protocol.

E.g:E.g:

- Zap to sip call:Zap to sip call:

context set in zapata.conf is usedcontext set in zapata.conf is used

- SIP to IAX2 call:SIP to IAX2 call:

context in sip.conf is usedcontext in sip.conf is used

Context usage:Context usage:

In sip.conf, zapata.conf, iax2.conf…In sip.conf, zapata.conf, iax2.conf…

A default context is defined, if there is no A default context is defined, if there is no specific context setting for this channel or specific context setting for this channel or user, than the default context is used!user, than the default context is used!

Limit simultaneous callsLimit simultaneous calls

Sometimes you don’t want a user to make multiple Sometimes you don’t want a user to make multiple simultaneous calls.simultaneous calls.

E.g.: prepay / calling cardsE.g.: prepay / calling cards

Solution: setgroup, checkgroup (don’t trust incominglimit.)Solution: setgroup, checkgroup (don’t trust incominglimit.)exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1)exten => s,2,CheckGroup(1)

Only good if the CallerID cannot be spoofed !!!!Only good if the CallerID cannot be spoofed !!!!Consider using accountcode for this.Consider using accountcode for this.

Sip.confSip.conf

Default contextDefault context Bindport, bindhost, bindipBindport, bindhost, bindip [username] vs username=[username] vs username= Permit, deny, mask Permit, deny, mask Insecure=yes, very, noInsecure=yes, very, no User vs peer vs friendUser vs peer vs friend Allowguest Allowguest AutocreatepeerAutocreatepeer PedanticPedantic Ospauth Realm Md5secretMd5secret User authentication logicUser authentication logic Username= vs [username]Username= vs [username]

Bindport, bindhost,bindipBindport, bindhost,bindip

If you only use sip for internal calls, don’t If you only use sip for internal calls, don’t put bindip=0.0.0.0 but limit it to the internal put bindip=0.0.0.0 but limit it to the internal IP.IP.

Changing the bindport to a non 5060 port Changing the bindport to a non 5060 port might save you from portscan sweeps for might save you from portscan sweeps for this port.this port.

Permit, deny, maskPermit, deny, mask

Disallow everything, then allow per user Disallow everything, then allow per user the allowed hosts or ranges.the allowed hosts or ranges.

(Multiple are allowed.)(Multiple are allowed.)

SIP.conf – insecure optionSIP.conf – insecure option

Insecure = …Insecure = …

No: the default, always ask for authenticationNo: the default, always ask for authentication Yes: To match a peer based by IP address only Yes: To match a peer based by IP address only

and not peer.and not peer. Insecure=very ; allows registered hosts to call Insecure=very ; allows registered hosts to call

without re-authenticating, by ip address without re-authenticating, by ip address Insecure=port; we don’t care if the portnumber is Insecure=port; we don’t care if the portnumber is

different than when they registereddifferent than when they registered Insecure=invite; every invite is accepted.Insecure=invite; every invite is accepted.

User vs Peer vs Friend in SIPUser vs Peer vs Friend in SIP

USER: never registers only makes callsUSER: never registers only makes calls PEER: can register + can make calls.PEER: can register + can make calls.

[user1][user1]type=usertype=user[user1][user1]type=peer type=peer

Is allowed and the same as type=friend if the other Is allowed and the same as type=friend if the other parameters are identical!!!parameters are identical!!!

AllowguestAllowguest=…=…

True: unauthenticated users will arrive in True: unauthenticated users will arrive in the default context as defined in sip.confthe default context as defined in sip.conf

False: unauthenticated users will get a False: unauthenticated users will get a permission denied error message.permission denied error message.

OSP: to allow guest access for voip traffic OSP: to allow guest access for voip traffic coming from an OSP server.coming from an OSP server.

autocreatepeerautocreatepeer

The autocreatepeer option allows, if set to Yes, The autocreatepeer option allows, if set to Yes, any SIP UA to register with your Asterisk PBX as any SIP UA to register with your Asterisk PBX as a peer. This peer's settings will be based on a peer. This peer's settings will be based on global options. The peer's name will be based global options. The peer's name will be based on the user part of the Contact: header field's on the user part of the Contact: header field's URL. URL.

This is of course a very high security risk if you This is of course a very high security risk if you haven't got control of access to your server. haven't got control of access to your server.

© Olle© Olle

PedanticPedantic

Defaults to pedantic=noDefaults to pedantic=no If enabled, this might allow a denial of If enabled, this might allow a denial of

service by sending a lot of invites, causing service by sending a lot of invites, causing a lot of (slow) DNS lookups.a lot of (slow) DNS lookups.

RealmRealm

Realm=Asterisk; Realm for digest authentication

; Defaults to “Asterisk"

; Realms MUST be globally unique according to RFC 3261

; Set this to your host name or domain name

How is authentication done?How is authentication done?

chan_sip.c: /* Whoever came up with the chan_sip.c: /* Whoever came up with the authentication section of SIP can suck my authentication section of SIP can suck my %*!#$ for not putting an example in the %*!#$ for not putting an example in the spec of just what it is you're doing a hash spec of just what it is you're doing a hash on. */on. */


Look at FROM header in SIP message for the username:Look at FROM header in SIP message for the username:

-> browse sip.conf for a type=user with that username-> browse sip.conf for a type=user with that usernameIf found -> check the md5If found -> check the md5If not found, If not found,

-> browse sip.conf for a type=peer with that username-> browse sip.conf for a type=peer with that username-> browse sip.conf for an (registered) IP where the request is coming from -> browse sip.conf for an (registered) IP where the request is coming from

if insecure=very, no more checks are doneif insecure=very, no more checks are doneif insecure=port, if they are willing to authenticate, even if they are calling if insecure=port, if they are willing to authenticate, even if they are calling from a different port than they registered with. (used for NAT not using the from a different port than they registered with. (used for NAT not using the same port number every time).same port number every time).otherwise, check the md5 + allow/deny.otherwise, check the md5 + allow/deny.

If no peer found ? do we allow guest access (allowguest=true ?)If no peer found ? do we allow guest access (allowguest=true ?) Yes? OK, allow send it to the default context, if not reject.Yes? OK, allow send it to the default context, if not reject.

Secret vs md5secretSecret vs md5secret

With SIP all passwords are md5 encrypted With SIP all passwords are md5 encrypted when sending the packets, but are stored when sending the packets, but are stored in plaintext in sip.confin plaintext in sip.conf

[user][user] Secret=blablaSecret=blabla

Secret vs md5secretSecret vs md5secret

echo - n "<user>:<realm>:<secret>" | md5sumecho - n "<user>:<realm>:<secret>" | md5sum E.g.:E.g.:

echo -n "user:asterisk:blabla" | md5sumecho -n "user:asterisk:blabla" | md5sum

e1b588233e4bc8645cc0da24d8cb848d e1b588233e4bc8645cc0da24d8cb848d

[user][user]md5secret=e1b588233e4bc8645cc0da24d8cb848d md5secret=e1b588233e4bc8645cc0da24d8cb848d

Username= vs [username]Username= vs [username]

[username] is for authentication a client [username] is for authentication a client connecting to asterisk.connecting to asterisk.

Username=… is to have your asterisk server Username=… is to have your asterisk server authenticate to another SIP server.authenticate to another SIP server.

Iax.confIax.conf

auth=plaintext,md5,rsaauth=plaintext,md5,rsa User authentication logicUser authentication logic Default contextDefault context [username] vs username=[username] vs username= Permit, deny, maskPermit, deny, mask Bindport, bindhost, bindipBindport, bindhost, bindip User vs peer vs friendUser vs peer vs friend

iax.conf - authiax.conf - auth

Plaintext: passes are sent in plaintextPlaintext: passes are sent in plaintext Md5: encrypt the password with md5Md5: encrypt the password with md5 RSA: use public key / private key – uses RSA: use public key / private key – uses

AES.AES.

User vs Peer vs friendUser vs Peer vs friend

USER: can only accept callsUSER: can only accept calls PEER: can only make callsPEER: can only make calls FRIEND: can do bothFRIEND: can do both

[user1][user1]type=usertype=user[user1][user1]type=peer type=peer

Is allowed!!!Is allowed!!!


In iax2: (cvs-head!!)In iax2: (cvs-head!!)

Pseudocode:Pseudocode:Is username supplied ? Is username supplied ?

-> yes -> matched against iax.conf users starting bottom to top.-> yes -> matched against iax.conf users starting bottom to top. user found ?user found ?

-> yes : is IP in allowed / disallowed list ?-> yes : is IP in allowed / disallowed list ?yes –> does password match ?yes –> does password match ? yes -> does requested context match a context=… line?yes -> does requested context match a context=… line?

-> no -> is a password given ?-> no -> is a password given ?-> yes : Asterisk will look bottom to top for a user with this password,-> yes : Asterisk will look bottom to top for a user with this password,

-> if the context matches, or there is no context specified, and -> if the context matches, or there is no context specified, and the the host is in the allowed lists (allow / deny) then the call is host is in the allowed lists (allow / deny) then the call is accepted.accepted.

-> no: Asterisk will look bottom to top for a user without password.-> no: Asterisk will look bottom to top for a user without password.-> if the context matches, or there is no context specified, and -> if the context matches, or there is no context specified, and

the the host is in the allowed lists (allow / deny) then the call is host is in the allowed lists (allow / deny) then the call is accepted.accepted.

USERNAME ?USER

FOUND?YES

NO

YES IP ALLOWED? YES PW MATCH? YESCONTEXT

OK?YES

CALL ACCEPTED!

NO

CALL REFUSED!

NONO

PASS GIVEN ?

NO

YESUSER FOUND WITH THIS

PASSWORD ?YES IP ALLOWED? YES

CONTEXT OK?

YESCALL

ACCEPTED!

CALL REFUSED!

NO NO

NO

NO

USER FOUND WITH EMPTY PASSWORD ?

YES IP ALLOWED? CONTEXT

OK?CALL

ACCEPTED!

CALL REFUSED!

NO

YES YES

NO

NO

Add a last entry in iax.conf with no Add a last entry in iax.conf with no password to force nosecret access into a password to force nosecret access into a specific context.specific context.

If you use realtime, don’t have any user If you use realtime, don’t have any user without a password and without without a password and without permit/deny.permit/deny.

Manager.confManager.conf

[general][general]enabled = yesenabled = yesport = 5038port = 5038bindaddr = 0.0.0.0bindaddr = 0.0.0.0

[zoa][zoa]secret = blabla secret = blabla deny=0.0.0.0/0.0.0.deny=0.0.0.0/0.0.0.permit=221.17.246.77/255.255.255.0permit=221.17.246.77/255.255.255.0permit=127.0.0.1/255.255.255.0permit=127.0.0.1/255.255.255.0read = system,call,log,verbose,command,agent,userread = system,call,log,verbose,command,agent,userwrite = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,user

Manager.confManager.conf

No encryption is used, even the password No encryption is used, even the password is sent in plaintext.is sent in plaintext.

Don’t enable it on a public IP.Don’t enable it on a public IP. Use Use http://www.stunnel.org/http://www.stunnel.org/ Watch out with management programs Watch out with management programs

with direct interface to the manager.with direct interface to the manager. Limit the privileges per user (especially the Limit the privileges per user (especially the

system!!!).system!!!).

Asterisk HardeningAsterisk Hardening

Asterisk as non-root userAsterisk as non-root user Asterisk in CHROOTAsterisk in CHROOT Asterisk in a JAILAsterisk in a JAIL Asterisk with limited read / write permissionsAsterisk with limited read / write permissions ZAPTEL kernel modulesZAPTEL kernel modules Asterisk firewalling / shaping / NATAsterisk firewalling / shaping / NAT Tty9Tty9 Linux hardeningLinux hardening Remote loggingRemote logging TripwireTripwire Limit running system processesLimit running system processes

Asterisk as non root userAsterisk as non root useradduser --system --home /var/lib/asterisk --no-create-home Asterisk adduser --system --home /var/lib/asterisk --no-create-home Asterisk chown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /dev/zap chown -r asterisk:asterisk /dev/zap chown -r root:asterisk /etc/asterisk chown -r root:asterisk /etc/asterisk

chmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /etc/asterisk chmod -r u=rwX,g=rX,o= /etc/asterisk chown asterisk /dev/tty9 chown asterisk /dev/tty9 su asterisk -c /usr/sbin/safe_asterisk su asterisk -c /usr/sbin/safe_asterisk or or Asterisk -U asterisk -G asteriskAsterisk -U asterisk -G asterisk

Asterisk has no write permissions for its Asterisk has no write permissions for its config files and is running as non root ?config files and is running as non root ?

In the unlikely event of someone breaking In the unlikely event of someone breaking in through Asterisk, your dial plan is still in through Asterisk, your dial plan is still vulnerable through the CLI or the vulnerable through the CLI or the manager.manager.

Asterisk with limited read / write permissionsAsterisk with limited read / write permissions

Asterisk in chrootAsterisk in chroot

Changes the root directory visible to Changes the root directory visible to asterisk to e.g. /foo/barasterisk to e.g. /foo/bar

Pretty useless if asterisk is running as root Pretty useless if asterisk is running as root and perl or gcc is available.and perl or gcc is available.

Asterisk in a jailAsterisk in a jail

Changes the root Changes the root directory visible to directory visible to Asterisk. Asterisk.

Limits the Limits the commands / commands / programs any user in programs any user in this jail can execute to this jail can execute to a list you specify.a list you specify.

Expansion of chroot.Expansion of chroot.

Zaptel kernel modulesZaptel kernel modules

Zaptel is module only, cannot be put into the Zaptel is module only, cannot be put into the kernel.kernel.

Hackers like to hide in a module, they can Hackers like to hide in a module, they can backdoor a module, compile it, load it in memory backdoor a module, compile it, load it in memory and remove all traces on the disk.and remove all traces on the disk.

You could have the kernel check an md5 for the You could have the kernel check an md5 for the Zaptel modules.Zaptel modules.

I think Matt Frederickson compiled them in the I think Matt Frederickson compiled them in the kernel before.kernel before.

Firewalling / shaping / NATFirewalling / shaping / NAT

Block everything except the ports you Block everything except the ports you really want. (5060, 4569, …)really want. (5060, 4569, …)

RTP ports are a big pita (see rtp.conf)RTP ports are a big pita (see rtp.conf)

Sidenote: you might want to check your ISP Sidenote: you might want to check your ISP is not blocking anything in the range is not blocking anything in the range defined in RTP.confdefined in RTP.conf

Limit access to tty9Limit access to tty9

safe_asterisk opens a console on tty9.safe_asterisk opens a console on tty9.

This does not require a password and will This does not require a password and will provide a root shell to anyone passing by.provide a root shell to anyone passing by.

(by using !command on the CLI).(by using !command on the CLI). Remove the offending line, or don’t use Remove the offending line, or don’t use

safe_asterisksafe_asterisk

Linux HardeningLinux Hardening

GRsec (2.6.x)GRsec (2.6.x) Openwall (2.4.x)Openwall (2.4.x) Remove all unneeded things.Remove all unneeded things.

Remote loggingRemote logging

Remote syslogRemote syslog Put Asterisk log files (and other log files on Put Asterisk log files (and other log files on

a remote server).a remote server).

TripwireTripwire

Make hashes of all the important files on Make hashes of all the important files on the server and check them for changes the server and check them for changes you didn’t do.you didn’t do.

Limit server processesLimit server processes

An Asterisk server should be only:An Asterisk server should be only:

- OS + ASTERISK.OS + ASTERISK.

- No databaseNo database

- No APACHENo APACHE

- No PHPNo PHP

(If you really need those, and don’t have enough (If you really need those, and don’t have enough servers, don’t put them on a public IP and servers, don’t put them on a public IP and firewall them!!!!)firewall them!!!!)

Asterisk privacyAsterisk privacy

EncryptionEncryption MonitoringMonitoring CallerID spoofingCallerID spoofing CallingPRESCallingPRES

Call Encryption - SIPCall Encryption - SIP

SRTP -> method to encrypt voice packets.SRTP -> method to encrypt voice packets. TLS -> method to encrypt signaling TLS -> method to encrypt signaling

packets.packets.

Both are not yet supported by asterisk.Both are not yet supported by asterisk.Bounty on voip-info.org.Bounty on voip-info.org.

Call Encryption – IAX2Call Encryption – IAX2

30/12/2004 2:0730/12/2004 2:07

Modified Files: chan_iax2.c iax2-parser.c Modified Files: chan_iax2.c iax2-parser.c iax2-parser.h iax2.h Log Message: Minor iax2-parser.h iax2.h Log Message: Minor IAX2 fixes, add incomplete-but-very-IAX2 fixes, add incomplete-but-very-basically-functional IAX2 encryption.basically-functional IAX2 encryption.

It would support any type of encryption you It would support any type of encryption you like. -> Doesn’t work yet.like. -> Doesn’t work yet.

Call Encryption – GeneralCall Encryption – General solution solution

Send you packets through a VPN or Send you packets through a VPN or tunnel.tunnel.

Use only UDP tunnels to avoid delays.Use only UDP tunnels to avoid delays.

Known to work:Known to work:

IPSEC, VTUN, OPENVPN.IPSEC, VTUN, OPENVPN.

Call Encryption – Tunnel solutionCall Encryption – Tunnel solution

Advantage, CPU expensive encryption Advantage, CPU expensive encryption can happen on dedicated machine.can happen on dedicated machine.

Disadvantage: doesn’t work on Disadvantage: doesn’t work on hardphones or ATA’s without adding an hardphones or ATA’s without adding an extra server in front of them.extra server in front of them.

MonitoringMonitoring

ZapBargeZapBarge ChanSpyChanSpy MonitorMonitor

Asterisk Stability & Security Protect your investment.

Documents

Transcript of Asterisk Stability & Security Protect your investment.