> On Sat, 2009-02-07 at 21:54 -0500, Alex Balashov wrote: >> Agreed strongly. >> >> 1) For one, it sounds like you allowed remote root logins directly via >> SSH via password. Many people seem to do this for convenience. This is >> VERY BAD and should NEVER, EVER be allowed under any circumstances. >> Only password access to user accounts should be permitted 100% of the time. >> >> 2) Secondly, SSH should really not be open to the public at all. With >> some hosts, that just can't be helped (public access boxes). For a PBX, >> there is absolutely no reason why SSH should be open to anyone but you. >> >> My SSH on all servers is firewalled to everyone in the world and I can >> only get in through an OpenVPN management VPN. If for some reason that >> fails or I am on a host that doesn't have a client, there are a few IPs >> that are allowed in as a back door. That's it. >> > > > Having the ssh server at the default port and accepting password > authentication its a security problem waiting to happen. > Looking at firewall logs you can see that the ssh port is scanned > routinely and brute force attacks happen all the time. > If you need to have ssh access open, move it a another port,disable > password auth and use only publickey auth. > Also as I see more and more companies implementing a strict "no incoming > ports open" policy (which is good), an option is to have a reverse ssh > tunnel. > http://skoroneos.blogspot.com/2009/01/doing-reverse-ssh-tunnel-embedded-way.html > > > I have implemented this in our embedded asterisk distro and now works > with the dialplan also. > i.e you trigger the connection from inside by dialing a number
There are other ways too, including port knocking. For SIP bruteforce attack, I use fail2ban to monitor the logs and firewall any attacks,in addition to having strong passwords and long sip user ids. _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
