Re: [asterisk-users] How do you harden an Asterisk install?

Fri, 14 Jul 2006 05:06:08 -0700 

Tzafrir Cohen wrote:

On Thu, Jul 13, 2006 at 11:53:19PM -0500, Rich Adamson wrote:

shadowym wrote:
Thanks for the suggestions but I specifically asked for options OTHER than a second server. Your suggestions about disabling un-needed services are good 
though.  I already do that.  I am hoping someone has some suggestions that
are not as obvious that I have perhaps not thought of.
From a linux command line, run "netstat -a" or "netstat -an" and 

  netstat -lnut

or (less nicer for formatting, requires root, but gives more data)

  netstat -lnutp

-l: only listening ports. Why bother with existing connections?
-n: numbers instead of names
-u: udp, -t: tcp: because you don't want to see all the unix-domain
                  sockets. Alternatively: --ip
-p: will tell you which process listen on the port


identify every tcp & udp port that has a state of listen. You'll 
probably find several that you were not aware of. Research what the 
ports are used for and disable as needed. If you don't / can't disable 
the function using the port, then use a firewall or router access list 
to block internet folks from accessing the machine on those ports. Or, 
download and run nmap to identify open ports remotely.


Download and run nessus (security scanner) against your server.


There are many old versions of Nessus floating around. An old scanner's
OK is not that good.


Review your asterisk config files and make sure you understand exactly 
what default contexts are implemented, and address those as needed.


Don't provide access through protocols that are not required from other
hosts. Specifically the manager interface.


Subscribe to any of several security lists that track linux distro 
vulnerabilities and patch your distro as needed. One such advisory 
service is available at http://secunia.com/advisories .




Even more important: base yourself on a distribution that fixes the
security problems for you. You will never have the resources to track,
test and apply all of those fixes, unless you're a full-time-job
security consultant.




Oh, and I forgot in my post to comment on disabling those modules that 
are not actually needed in your specific implementation. Review the 
"show modules" output and "noload" those not needed in modules.conf.



_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users






















					Reply via email to