Asterisk security with kingasterisk
Upcoming SlideShare
Loading in...5
×
 

Asterisk security with kingasterisk

on

  • 605 views

asterisk security basic tranning by kingasterisk

asterisk security basic tranning by kingasterisk

Statistics

Views

Total Views
605
Views on SlideShare
605
Embed Views
0

Actions

Likes
2
Downloads
37
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Asterisk security with kingasterisk Asterisk security with kingasterisk Presentation Transcript

  • Asterisk Stability & SecurityAsterisk Stability & Security with kingasteriskwith kingasterisk Protect your investmentProtect your investment www.kingasterisk.comwww.kingasterisk.com Skype : kingasteriskSkype : kingasterisk
  • IntroductionIntroduction  What if the server goes down ?What if the server goes down ?  What if someone hacks into your 8 e1What if someone hacks into your 8 e1 asterisk server and makes calls toasterisk server and makes calls to inmarsat ?inmarsat ?  Inmarsat : 5 euro / min.Inmarsat : 5 euro / min. In 24 hours, on 8 e1sIn 24 hours, on 8 e1s  1728000 euro1728000 euro
  • OverviewOverview  Asterisk Performance UpdateAsterisk Performance Update  Asterisk StabilityAsterisk Stability  Asterisk SecurityAsterisk Security  Asterisk MonitoringAsterisk Monitoring
  • Asterisk Performance UpdateAsterisk Performance Update  Updates since Astricon 2004:Updates since Astricon 2004: - Smaller memory footprint- Smaller memory footprint - Less file descriptors used- Less file descriptors used - Memory leaks found / removed- Memory leaks found / removed - Less RTP ports opened- Less RTP ports opened - Codec optimizations (especially Speex)- Codec optimizations (especially Speex) - Hardware echo canceller- Hardware echo canceller - FastAGI- FastAGI - Realtime- Realtime - Remote MOH- Remote MOH - ds3000 / te411p- ds3000 / te411p - Channel walk optimization- Channel walk optimization
  • Astertest TestlabAstertest Testlab
  • Astertest CablesAstertest Cables
  • OverviewOverview  Asterisk Performance UpdateAsterisk Performance Update  Asterisk StabilityAsterisk Stability  Asterisk server monitoringAsterisk server monitoring  Asterisk SecurityAsterisk Security
  • Asterisk StabilityAsterisk Stability  Hardware reliabilityHardware reliability  Software stabilitySoftware stability
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  What is the cost of having no PBX serviceWhat is the cost of having no PBX service for your company ?for your company ?  What if you are an ISP and yourWhat if you are an ISP and your customers can’t dial out ?customers can’t dial out ?
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  What if you experience:What if you experience: - power outage ?- power outage ? - a broken HD ?- a broken HD ? - a broken Zaptel card ?- a broken Zaptel card ? - a broken server ?- a broken server ? - no Internet connectivity ?- no Internet connectivity ?
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  Power outage:Power outage:  Traditional phones are self powered.Traditional phones are self powered. Solution: use a UPS to power the (PoE) phones,Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router,…the switches, PBX, modem, router,…  If you have a low power PBX, the phoneIf you have a low power PBX, the phone system could run for hours on a small UPS.system could run for hours on a small UPS.  Don’t use Ethernet over power for missionDon’t use Ethernet over power for mission critical phone lines.critical phone lines.
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  A broken HD ?A broken HD ?  Use raid > 0Use raid > 0  SCSI has a bigger mean time to failure.SCSI has a bigger mean time to failure.  Flashdisks, realtime, netboot, live CD’s.Flashdisks, realtime, netboot, live CD’s.
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  A broken Zaptel card or a broken server ?A broken Zaptel card or a broken server ?  Make sure you have a replacement,Make sure you have a replacement, (maybe even hot standby) with all the(maybe even hot standby) with all the modules you need, jumpers already set,…modules you need, jumpers already set,…
  • Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability  No Internet connectivity ?No Internet connectivity ?  Spare router / modem / switch ?Spare router / modem / switch ?  Failover Internet connection ?Failover Internet connection ?  Failover to / from PSTN ?Failover to / from PSTN ?
  • Label all cables!!Label all cables!!
  • Asterisk Stability / Quality UpdatesAsterisk Stability / Quality Updates Software related since Astricon ‘04Software related since Astricon ‘04  Real CVS-stable / CVS-head (Thanks Russell!)Real CVS-stable / CVS-head (Thanks Russell!)  Major cleanups / code audits.Major cleanups / code audits.  New h323 channel coming (chan_ooh323)New h323 channel coming (chan_ooh323)  Packet Loss ConcealmentPacket Loss Concealment  IAX2 / SIP jitter buffer (mantis 3854)IAX2 / SIP jitter buffer (mantis 3854)  A lot of libpri, chan_sip, chan_h323 changes forA lot of libpri, chan_sip, chan_h323 changes for better compatibility / stability.better compatibility / stability.  DUNDi (easier load balancing with round robinDUNDi (easier load balancing with round robin DNS)DNS)  OSPOSP  Kernel 2.6.11.xKernel 2.6.11.x
  • Changes in hardware reliabilityChanges in hardware reliability  New Zaptel hardware (te411p, te4xxp,New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, …).TDM, IAXy2, …).  New drivers with a lot of bug fixes andNew drivers with a lot of bug fixes and optimizations.optimizations.  End of life for x100p and Tormenta cards.End of life for x100p and Tormenta cards.  Hardware echo cancellers -> lower CPUHardware echo cancellers -> lower CPU load -> more calls it can handle beforeload -> more calls it can handle before asterisk turns unstable.asterisk turns unstable.
  • * reliability / stability recommendations* reliability / stability recommendations  Use decent but not exotic hardwareUse decent but not exotic hardware  Put Zaptel on a different PCI-bus than Nics andPut Zaptel on a different PCI-bus than Nics and video cards.video cards.  Read tutorials on interrupts, APIC and otherRead tutorials on interrupts, APIC and other common problems.common problems.  Load test your setupLoad test your setup  Design a failover systemDesign a failover system  Noload unused modulesNoload unused modules  Use recent firmware Zaptel cardsUse recent firmware Zaptel cards
  • * reliability / stability recommendations* reliability / stability recommendations  Use a stable Asterisk version.Use a stable Asterisk version.  Take a common OS -> Linux.Take a common OS -> Linux.  Test software upgrades in a test lab.Test software upgrades in a test lab.  Stay away from experimental AsteriskStay away from experimental Asterisk modules -> h323, skinny.modules -> h323, skinny.  Don’t patch production Asterisk servers.Don’t patch production Asterisk servers.  Keep your old Asterisk binaries after anKeep your old Asterisk binaries after an upgrade for easy restore of known workingupgrade for easy restore of known working versions.versions.
  • OverviewOverview  Asterisk Performance UpdateAsterisk Performance Update  Asterisk StabilityAsterisk Stability  Asterisk server monitoringAsterisk server monitoring  Asterisk SecurityAsterisk Security
  • Asterisk server monitoringAsterisk server monitoring  NAGIOSNAGIOS   http://karlsbakk.net/asterisk/http://karlsbakk.net/asterisk/   http://megaglobal.net/docs/asterisk/html/asterihttp://megaglobal.net/docs/asterisk/html/asteri  Argus:Argus: http://argus.tcp4me.com/http://argus.tcp4me.com/  SNMP:SNMP: http://www.faino.it/en/asterisk.htmlhttp://www.faino.it/en/asterisk.html
  • OverviewOverview  Asterisk Performance UpdateAsterisk Performance Update  Asterisk StabilityAsterisk Stability  Asterisk server monitoringAsterisk server monitoring  Asterisk SecurityAsterisk Security
  • Asterisk SecurityAsterisk Security  Asterisk Configuration stupidityAsterisk Configuration stupidity  Asterisk hardeningAsterisk hardening  Privacy protectionPrivacy protection
  • Asterisk Configuration StupidityAsterisk Configuration Stupidity  Dial plan securityDial plan security  SIP.confSIP.conf  IAX2.confIAX2.conf  Manager.confManager.conf  Billing problemsBilling problems
  • Dial plan securityDial plan security  - Extension hopping- Extension hopping  - CallerID based protections- CallerID based protections  - _.- _.  - Demo context- Demo context  - User access to the dial plan- User access to the dial plan  - Be careful with the default context- Be careful with the default context  - Limit simultaneous calls- Limit simultaneous calls
  • Extension hoppingExtension hopping  User can reach ANY extension in the currentUser can reach ANY extension in the current context:context: [internal][internal] exten => intro,1,Background(question);exten => intro,1,Background(question); exten => 1,spanish,Goto(Spanish)exten => 1,spanish,Goto(Spanish) exten => 2,english,Goto(English)exten => 2,english,Goto(English) exten => _XX.,1,Dial(ZAP/g1/${EXTEN});exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
  • CallerID based protectionCallerID based protection exten => _X.,1,GotoIf($[“$exten => _X.,1,GotoIf($[“$ {CALLERIDNUM}”=“32134”?3);{CALLERIDNUM}”=“32134”?3); exten => _X.,2,Hangup();exten => _X.,2,Hangup(); exten => _X.,3,Dial(${EXTEN});exten => _X.,3,Dial(${EXTEN});  When not explicitly defined for eachWhen not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf,user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!the user can choose his own CallerID!
  • Inappropriate use of _.Inappropriate use of _.  _. Would match EVERYTHING!_. Would match EVERYTHING! (also fax, hang up, invalid, timeout,….)(also fax, hang up, invalid, timeout,….) Example:Example: exten => _.,1,Playback(blah);exten => _.,1,Playback(blah); exten => _.,2,Hangup;exten => _.,2,Hangup;  Causing a FAST LOOP.Causing a FAST LOOP. (changed in CVS-head)(changed in CVS-head)
  • demo contextdemo context  Not a real security riskNot a real security risk  But… Someone might play with yourBut… Someone might play with your system and use up your bandwidth, makesystem and use up your bandwidth, make prank calls to Digium, make Mark Spencerprank calls to Digium, make Mark Spencer very unhappy and cause him to introducevery unhappy and cause him to introduce you to a very big shotgun…you to a very big shotgun…
  • User access to the dialplanUser access to the dialplan  - AMP and other GUI’s might allow the- AMP and other GUI’s might allow the ISP’s user to change a dial plan in his ownISP’s user to change a dial plan in his own context. E.g.: hosted PBX’scontext. E.g.: hosted PBX’s  - Goto / GotoIf / dial(Local/…) -> context- Goto / GotoIf / dial(Local/…) -> context hopping.hopping.  - System -> could do anything- System -> could do anything
  • Default contextDefault context  Example:Example: [default][default] Include outgoing;Include outgoing; Include internal;Include internal; OH OH OH, guest calls will go to the defaultOH OH OH, guest calls will go to the default context!!!!!context!!!!!
  • Context usage:Context usage:  A call has two legs, the used context is theA call has two legs, the used context is the context defined for that user/channel in thecontext defined for that user/channel in the config file for that protocol.config file for that protocol. E.g:E.g: - Zap to sip call:Zap to sip call: context set in zapata.conf is usedcontext set in zapata.conf is used - SIP to IAX2 call:SIP to IAX2 call: context in sip.conf is usedcontext in sip.conf is used
  • Context usage:Context usage:  In sip.conf, zapata.conf, iax2.conf…In sip.conf, zapata.conf, iax2.conf… A default context is defined, if there is noA default context is defined, if there is no specific context setting for this channel orspecific context setting for this channel or user, than the default context is used!user, than the default context is used!
  • Limit simultaneous callsLimit simultaneous calls  Sometimes you don’t want a user to make multipleSometimes you don’t want a user to make multiple simultaneous calls.simultaneous calls.  E.g.: prepay / calling cardsE.g.: prepay / calling cards Solution: setgroup, checkgroup (don’t trust incominglimit.)Solution: setgroup, checkgroup (don’t trust incominglimit.) exten => s,1,SetGroup(${CALLERIDNUM})exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1)exten => s,2,CheckGroup(1) Only good if the CallerID cannot be spoofed !!!!Only good if the CallerID cannot be spoofed !!!! Consider using accountcode for this.Consider using accountcode for this.
  • Sip.confSip.conf  Default contextDefault context  Bindport, bindhost, bindipBindport, bindhost, bindip  [username] vs username=[username] vs username=  Permit, deny, maskPermit, deny, mask  Insecure=yes, very, noInsecure=yes, very, no  User vs peer vs friendUser vs peer vs friend  AllowguestAllowguest  AutocreatepeerAutocreatepeer  PedanticPedantic  Ospauth  Realm  Md5secretMd5secret  User authentication logicUser authentication logic  Username= vs [username]Username= vs [username]
  • Bindport, bindhost,bindipBindport, bindhost,bindip  If you only use sip for internal calls, don’tIf you only use sip for internal calls, don’t put bindip=0.0.0.0 but limit it to the internalput bindip=0.0.0.0 but limit it to the internal IP.IP.  Changing the bindport to a non 5060 portChanging the bindport to a non 5060 port might save you from portscan sweeps formight save you from portscan sweeps for this port.this port.
  • Permit, deny, maskPermit, deny, mask  Disallow everything, then allow per userDisallow everything, then allow per user the allowed hosts or ranges.the allowed hosts or ranges. (Multiple are allowed.)(Multiple are allowed.)
  • SIP.conf – insecure optionSIP.conf – insecure option Insecure = …Insecure = …  No: the default, always ask for authenticationNo: the default, always ask for authentication  Yes: To match a peer based by IP address onlyYes: To match a peer based by IP address only and not peer.and not peer.  Insecure=very ; allows registered hosts to callInsecure=very ; allows registered hosts to call without re-authenticating, by ip addresswithout re-authenticating, by ip address  Insecure=port; we don’t care if the portnumber isInsecure=port; we don’t care if the portnumber is different than when they registereddifferent than when they registered  Insecure=invite; every invite is accepted.Insecure=invite; every invite is accepted.
  • User vs Peer vs Friend in SIPUser vs Peer vs Friend in SIP  USER: never registers only makes callsUSER: never registers only makes calls  PEER: can register + can make calls.PEER: can register + can make calls. [user1][user1] type=usertype=user [user1][user1] type=peertype=peer Is allowed and the same as type=friend if the otherIs allowed and the same as type=friend if the other parameters are identical!!!parameters are identical!!!
  • AllowguestAllowguest=…=…  True: unauthenticated users will arrive inTrue: unauthenticated users will arrive in the default context as defined in sip.confthe default context as defined in sip.conf  False: unauthenticated users will get aFalse: unauthenticated users will get a permission denied error message.permission denied error message.  OSP: to allow guest access for voip trafficOSP: to allow guest access for voip traffic coming from an OSP server.coming from an OSP server.
  • autocreatepeerautocreatepeer  The autocreatepeer option allows, if set to Yes,The autocreatepeer option allows, if set to Yes, any SIP UA to register with your Asterisk PBX asany SIP UA to register with your Asterisk PBX as a peer. This peer's settings will be based ona peer. This peer's settings will be based on global options. The peer's name will be basedglobal options. The peer's name will be based on the user part of the Contact: header field'son the user part of the Contact: header field's URL.URL. This is of course a very high security risk if youThis is of course a very high security risk if you haven't got control of access to your server.haven't got control of access to your server.  © Olle© Olle
  • PedanticPedantic  Defaults to pedantic=noDefaults to pedantic=no  If enabled, this might allow a denial ofIf enabled, this might allow a denial of service by sending a lot of invites, causingservice by sending a lot of invites, causing a lot of (slow) DNS lookups.a lot of (slow) DNS lookups.
  • RealmRealm Realm=Asterisk; Realm for digest authentication ; Defaults to “Asterisk" ; Realms MUST be globally unique according to RFC 3261 ; Set this to your host name or domain name
  • How is authentication done?How is authentication done?  chan_sip.c: /* Whoever came up with thechan_sip.c: /* Whoever came up with the authentication section of SIP can suck myauthentication section of SIP can suck my %*!#$ for not putting an example in the%*!#$ for not putting an example in the spec of just what it is you're doing a hashspec of just what it is you're doing a hash on. */on. */
  • How is authentication done?How is authentication done?  Look at FROM header in SIP message for the username:Look at FROM header in SIP message for the username: -> browse sip.conf for a type=user with that username-> browse sip.conf for a type=user with that username If found -> check the md5If found -> check the md5 If not found,If not found, -> browse sip.conf for a type=peer with that username-> browse sip.conf for a type=peer with that username -> browse sip.conf for an (registered) IP where the request is coming from-> browse sip.conf for an (registered) IP where the request is coming from if insecure=very, no more checks are doneif insecure=very, no more checks are done if insecure=port, if they are willing to authenticate, even if they are callingif insecure=port, if they are willing to authenticate, even if they are calling from a different port than they registered with. (used for NAT not using thefrom a different port than they registered with. (used for NAT not using the same port number every time).same port number every time). otherwise, check the md5 + allow/deny.otherwise, check the md5 + allow/deny.  If no peer found ? do we allow guest access (allowguest=true ?)If no peer found ? do we allow guest access (allowguest=true ?)  Yes? OK, allow send it to the default context, if not reject.Yes? OK, allow send it to the default context, if not reject.
  • Secret vs md5secretSecret vs md5secret  With SIP all passwords are md5 encryptedWith SIP all passwords are md5 encrypted when sending the packets, but are storedwhen sending the packets, but are stored in plaintext in sip.confin plaintext in sip.conf  [user][user]  Secret=blablaSecret=blabla
  • Secret vs md5secretSecret vs md5secret  echo - n "<user>:<realm>:<secret>" | md5sumecho - n "<user>:<realm>:<secret>" | md5sum  E.g.:E.g.: echo -n "user:asterisk:blabla" | md5sumecho -n "user:asterisk:blabla" | md5sum e1b588233e4bc8645cc0da24d8cb848de1b588233e4bc8645cc0da24d8cb848d [user][user] md5secret=e1b588233e4bc8645cc0da24d8cb848dmd5secret=e1b588233e4bc8645cc0da24d8cb848d
  • Username= vs [username]Username= vs [username]  [username] is for authentication a client[username] is for authentication a client connecting to asterisk.connecting to asterisk. Username=… is to have your asteriskUsername=… is to have your asterisk server authenticate to another SIP server.server authenticate to another SIP server.
  • Iax.confIax.conf  auth=plaintext,md5,rsaauth=plaintext,md5,rsa  User authentication logicUser authentication logic  Default contextDefault context  [username] vs username=[username] vs username=  Permit, deny, maskPermit, deny, mask  Bindport, bindhost, bindipBindport, bindhost, bindip  User vs peer vs friendUser vs peer vs friend
  • iax.conf - authiax.conf - auth  Plaintext: passes are sent in plaintextPlaintext: passes are sent in plaintext  Md5: encrypt the password with md5Md5: encrypt the password with md5  RSA: use public key / private key – usesRSA: use public key / private key – uses AES.AES.
  • User vs Peer vs friendUser vs Peer vs friend  USER: can only accept callsUSER: can only accept calls  PEER: can only make callsPEER: can only make calls  FRIEND: can do bothFRIEND: can do both [user1][user1] type=usertype=user [user1][user1] type=peertype=peer Is allowed!!!Is allowed!!!
  • How is authentication done?How is authentication done?  In iax2: (cvs-head!!)In iax2: (cvs-head!!) Pseudocode:Pseudocode: Is username supplied ?Is username supplied ? -> yes -> matched against iax.conf users starting bottom to top.-> yes -> matched against iax.conf users starting bottom to top. user found ?user found ? -> yes : is IP in allowed / disallowed list ?-> yes : is IP in allowed / disallowed list ? yes –> does password match ?yes –> does password match ? yes -> does requested context match a context=… line?yes -> does requested context match a context=… line? -> no -> is a password given ?-> no -> is a password given ? -> yes : Asterisk will look bottom to top for a user with this password,-> yes : Asterisk will look bottom to top for a user with this password, -> if the context matches, or there is no context specified, and the-> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted.host is in the allowed lists (allow / deny) then the call is accepted. -> no: Asterisk will look bottom to top for a user without password.-> no: Asterisk will look bottom to top for a user without password. -> if the context matches, or there is no context specified, and the-> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted.host is in the allowed lists (allow / deny) then the call is accepted.
  •  Add a last entry in iax.conf with noAdd a last entry in iax.conf with no password to force nosecret access into apassword to force nosecret access into a specific context.specific context.  If you use realtime, don’t have any userIf you use realtime, don’t have any user without a password and withoutwithout a password and without permit/deny.permit/deny.
  • Manager.confManager.conf [general][general] enabled = yesenabled = yes port = 5038port = 5038 bindaddr = 0.0.0.0bindaddr = 0.0.0.0 [zoa][zoa] secret = blablasecret = blabla deny=0.0.0.0/0.0.0.deny=0.0.0.0/0.0.0. permit=221.17.246.77/255.255.255.0permit=221.17.246.77/255.255.255.0 permit=127.0.0.1/255.255.255.0permit=127.0.0.1/255.255.255.0 read = system,call,log,verbose,command,agent,userread = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,userwrite = system,call,log,verbose,command,agent,user
  • Manager.confManager.conf  No encryption is used, even the passwordNo encryption is used, even the password is sent in plaintext.is sent in plaintext.  Don’t enable it on a public IP.Don’t enable it on a public IP.  UseUse http://www.stunnel.org/http://www.stunnel.org/  Watch out with management programsWatch out with management programs with direct interface to the manager.with direct interface to the manager.  Limit the privileges per user (especially theLimit the privileges per user (especially the system!!!).system!!!).
  • Asterisk SecurityAsterisk Security  Asterisk Configuration stupidityAsterisk Configuration stupidity  Asterisk hardeningAsterisk hardening  Privacy protectionPrivacy protection
  • Asterisk HardeningAsterisk Hardening  Asterisk as non-root userAsterisk as non-root user  Asterisk in CHROOTAsterisk in CHROOT  Asterisk in a JAILAsterisk in a JAIL  Asterisk with limited read / write permissionsAsterisk with limited read / write permissions  ZAPTEL kernel modulesZAPTEL kernel modules  Asterisk firewalling / shaping / NATAsterisk firewalling / shaping / NAT  Tty9Tty9  Linux hardeningLinux hardening  Remote loggingRemote logging  TripwireTripwire  Limit running system processesLimit running system processes
  • Asterisk as non root userAsterisk as non root user adduser --system --home /var/lib/asterisk --no-create-home Asteriskadduser --system --home /var/lib/asterisk --no-create-home Asterisk chown -r asterisk:asterisk /var/lib/asteriskchown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/log/asteriskchown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/run/asteriskchown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/spool/asteriskchown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /dev/zapchown -r asterisk:asterisk /dev/zap chown -r root:asterisk /etc/asteriskchown -r root:asterisk /etc/asterisk chmod -r u=rwX,g=rX,o= /var/lib/asteriskchmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/log/asteriskchmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/run/asteriskchmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asteriskchmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /dev/zapchmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /etc/asteriskchmod -r u=rwX,g=rX,o= /etc/asterisk chown asterisk /dev/tty9chown asterisk /dev/tty9 su asterisk -c /usr/sbin/safe_asterisksu asterisk -c /usr/sbin/safe_asterisk oror Asterisk -U asterisk -G asteriskAsterisk -U asterisk -G asterisk
  •  Asterisk has no write permissions for itsAsterisk has no write permissions for its config files and is running as non root ?config files and is running as non root ?  In the unlikely event of someone breakingIn the unlikely event of someone breaking in through Asterisk, your dial plan is stillin through Asterisk, your dial plan is still vulnerable through the CLI or thevulnerable through the CLI or the manager.manager. Asterisk with limited read / write permissionsAsterisk with limited read / write permissions
  • Asterisk in chrootAsterisk in chroot  Changes the root directory visible toChanges the root directory visible to asterisk to e.g. /foo/barasterisk to e.g. /foo/bar  Pretty useless if asterisk is running as rootPretty useless if asterisk is running as root and perl or gcc is available.and perl or gcc is available.
  • Asterisk in a jailAsterisk in a jail  Changes the rootChanges the root directory visible todirectory visible to Asterisk.Asterisk.  Limits theLimits the commands /commands / programs any user inprograms any user in this jail can execute tothis jail can execute to a list you specify.a list you specify.  Expansion of chroot.Expansion of chroot.
  • Zaptel kernel modulesZaptel kernel modules  Zaptel is module only, cannot be put into theZaptel is module only, cannot be put into the kernel.kernel.  Hackers like to hide in a module, they canHackers like to hide in a module, they can backdoor a module, compile it, load it in memorybackdoor a module, compile it, load it in memory and remove all traces on the disk.and remove all traces on the disk.  You could have the kernel check an md5 for theYou could have the kernel check an md5 for the Zaptel modules.Zaptel modules.  I think Matt Frederickson compiled them in theI think Matt Frederickson compiled them in the kernel before.kernel before.
  • Firewalling / shaping / NATFirewalling / shaping / NAT  Block everything except the ports youBlock everything except the ports you really want. (5060, 4569, …)really want. (5060, 4569, …)  RTP ports are a big pita (see rtp.conf)RTP ports are a big pita (see rtp.conf) Sidenote: you might want to check your ISPSidenote: you might want to check your ISP is not blocking anything in the rangeis not blocking anything in the range defined in RTP.confdefined in RTP.conf
  • Limit access to tty9Limit access to tty9  safe_asterisk opens a console on tty9.safe_asterisk opens a console on tty9. This does not require a password and willThis does not require a password and will provide a root shell to anyone passing by.provide a root shell to anyone passing by. (by using !command on the CLI).(by using !command on the CLI).  Remove the offending line, or don’t useRemove the offending line, or don’t use safe_asterisksafe_asterisk
  • Linux HardeningLinux Hardening  GRsec (2.6.x)GRsec (2.6.x)  Openwall (2.4.x)Openwall (2.4.x)  Remove all unneeded things.Remove all unneeded things.
  • Remote loggingRemote logging  Remote syslogRemote syslog  Put Asterisk log files (and other log files onPut Asterisk log files (and other log files on a remote server).a remote server).
  • TripwireTripwire  Make hashes of all the important files onMake hashes of all the important files on the server and check them for changesthe server and check them for changes you didn’t do.you didn’t do.
  • Limit server processesLimit server processes  An Asterisk server should be only:An Asterisk server should be only: - OS + ASTERISK.OS + ASTERISK. - No databaseNo database - No APACHENo APACHE - No PHPNo PHP (If you really need those, and don’t have enough(If you really need those, and don’t have enough servers, don’t put them on a public IP andservers, don’t put them on a public IP and firewall them!!!!)firewall them!!!!)
  • Asterisk SecurityAsterisk Security  Asterisk Configuration stupidityAsterisk Configuration stupidity  Asterisk hardeningAsterisk hardening  Privacy protectionPrivacy protection
  • Asterisk privacyAsterisk privacy  EncryptionEncryption  MonitoringMonitoring  CallerID spoofingCallerID spoofing  CallingPRESCallingPRES
  • Call Encryption - SIPCall Encryption - SIP  SRTP -> method to encrypt voice packets.SRTP -> method to encrypt voice packets.  TLS -> method to encrypt signalingTLS -> method to encrypt signaling packets.packets. Both are not yet supported by asterisk.Both are not yet supported by asterisk. Bounty on voip-info.org.Bounty on voip-info.org.
  • Call Encryption – IAX2Call Encryption – IAX2  30/12/2004 2:0730/12/2004 2:07 Modified Files: chan_iax2.c iax2-parser.cModified Files: chan_iax2.c iax2-parser.c iax2-parser.h iax2.h Log Message: Minoriax2-parser.h iax2.h Log Message: Minor IAX2 fixes, add incomplete-but-very-IAX2 fixes, add incomplete-but-very- basically-functional IAX2 encryption.basically-functional IAX2 encryption. It would support any type of encryption youIt would support any type of encryption you like. -> Doesn’t work yet.like. -> Doesn’t work yet.
  • Call Encryption – GeneralCall Encryption – General solutionsolution  Send you packets through a VPN orSend you packets through a VPN or tunnel.tunnel.  Use only UDP tunnels to avoid delays.Use only UDP tunnels to avoid delays. Known to work:Known to work: IPSEC, VTUN, OPENVPN.IPSEC, VTUN, OPENVPN.
  • Call Encryption – Tunnel solutionCall Encryption – Tunnel solution Advantage, CPU expensive encryptionAdvantage, CPU expensive encryption can happen on dedicated machine.can happen on dedicated machine.  Disadvantage: doesn’t work onDisadvantage: doesn’t work on hardphones or ATA’s without adding anhardphones or ATA’s without adding an extra server in front of them.extra server in front of them.
  • MonitoringMonitoring  ZapBargeZapBarge  ChanSpyChanSpy  MonitorMonitor Thank you Very Much......!!!Thank you Very Much......!!! For More InformationFor More Information www.kingasterisk.comwww.kingasterisk.com