On Wed, 2004-01-07 at 06:59, Rich Adamson wrote: > > On Tue, 2004-01-06 at 21:08, Jonathan Moore wrote: > > > These are good issues, but I am even thinking of something simpler and more > > > common than crises. Such as this scenerio. > > > > > > I need to update my Asterisk server that runs all my phones inorder to install a > > > kernel update that fixes a security bug. This is something I would consider > > > happening on a regular basis with a voip enable system, whereas the traditional > > > system might sit in a closet for 10 years never being touched. Let's say I don't > > > want to stay at work until 2 am to reload the system when noone is there. How > > > would you configure and * system(s so that you could take a system offline > > > during working hours without taking out all or parts of the system? > > > > Since the current kernel bug release is for a local exploit, you only > > have to worry about it if you have local users on that machine. If > > security was that high on your priority list and you have users logging > > into your PBX machine, you might need to revisit your security > > procedures. > > Not intending to be disrespectful of _any_ on the list (or digress too > much from the original 911 topic), but given the number of * systems that > have been deployed (and exposed) that still have default values & assumptions > within their configurations, security at the OS level should be the least > of one's concerns. In other words, of all the implementations that exist, > how many can truly state they have analyzed/tested their systems to > ensure exploits of open iax & sip connections have been properly addressed?
All I can say is that on any of the production machines I have, I have gone through and removed all channel drivers for channels I don't use, therefore removing SIP,MGCP, H323, and skinny from even opening outside ports. This was done as an after thought back when the potential SIP exploit was uncovered. Interestingly enough, when I nmap my primary 2 asterisk boxes I don't even see the IAX ports. Need to think about getting nmap patched for the VoIP ports. Anyways, I only have ssh, smtp(outgoing only), auth, and postgres showing up. I do know the IAX and IAX2 are there, but they are tied to fixed addresses for endpoints. When I test, I have machines that can run asterisk for the temporary times I want to test with more opened up. They also are on predefined IP addresses that are strictly defined in the primary machines. That is how I am approaching my security for now. -- Steven Critchfield <[EMAIL PROTECTED]> _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users
