Re: [Asterisk-Users] asterisk security

[Rich Adamson]

> I would like to have some advices about security, securing asterisk server
> 
> Already :
> 
> -          configured asterisk to run as non-root user 
(http://www.voip-info.org/tiki-index.php?page=Asterisk+non-root)
> 
> -          fw config 
> (http://www.voip-info.org/tiki-index.php?page=Asterisk+firewall+rules)
> 
>  
> 
> Would like to know what are the things I have to be carefull with
> 
> -          prevent anyone to use my asterisk srv to call anywhere in the 
> world, some alert to 
put in place ?
> 
> -          prevent to listen my conversation, or other one using my asterisk 
> srv
> 
> -          other advices ???
> 

Next thing I'd suggest is to use an external sip phone (or * system)
to try to access your asterisk system without the appropriate userid
and password entries (or use entries that don't match your current
asterisk definitions.  Same with iax if you're allowing that.

Seems there are a fair number of people that think they understand
asterisk, its use of contexts, etc, but really don't.

If I were going to try and hack your asterisk system from a remote
location, what would I try to do? Place calls through your system
without you knowing it (amoung other things). 

Using port scanners (like nessus, nmap, etc) will only tell you what
tcp/udp ports are open, but will not give you a clue whether your
sip, iax, or other I/O channels are defined in a reasonably secure
way.


_______________________________________________
Asterisk-Users mailing list
Asterisk-Users@lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users