Re: [asterisk-users] (Newbie)How to reduce security risks in opening IAX Sip Ports
On Tue, May 20, 2008 at 10:41:28AM +0200, Shaun Wingrin wrote: Please direct me to any usefull links to help secure my asterisk server once these ports are opened. http://search.yahoo.com/search?p=secure+asterisk+server http://www.google.com/search?q=secure+asterisk+server Now, do some basic reading and provide us the relevant information so we can give you a more infrmed answer. First and foremost: what are the threats? In what envirnment (LAN/WAN) does it run? How much control do you have over the network? What do you actually need it to do? What extra services must be run on the same box besides Asterisk? What Linux(?) distribution do you use? (read its relevant documentation as well). -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] (Newbie)How to reduce security risks in opening IAX Sip Ports
One way to make the system more secure would be by not opening these ports statically in Linux iptables. I have not tested this, but Linux iptables have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel version 2.6.18. With these modules, Linux iptables will act as a SIP-aware NAT that opens the ports dynamically depending on what's exchanged in the signaling. -- Raj Jain On Tue, May 20, 2008 at 4:41 AM, Shaun Wingrin [EMAIL PROTECTED] wrote: Please direct me to any usefull links to help secure my asterisk server once these ports are opened. Thanks Shaun ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] (Newbie)How to reduce security risks in opening IAX Sip Ports
On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote: One way to make the system more secure would be by not opening these ports statically in Linux iptables. I have not tested this, but Linux iptables have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel version 2.6.18. With these modules, Linux iptables will act as a SIP-aware NAT that opens the ports dynamically depending on what's exchanged in the signaling. Err... and if you want to allow someone to connect to UDP port 5060 of your boxm what iptables trick should you use? -- Tzafrir Cohen icq#16849755 jabber:[EMAIL PROTECTED] +972-50-7952406 mailto:[EMAIL PROTECTED] http://www.xorcom.com iax:[EMAIL PROTECTED]/tzafrir ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] (Newbie)How to reduce security risks in opening IAX Sip Ports
On Tue, May 20, 2008 at 7:11 AM, Tzafrir Cohen [EMAIL PROTECTED] wrote: On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote: One way to make the system more secure would be by not opening these ports statically in Linux iptables. I have not tested this, but Linux iptables have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel version 2.6.18. With these modules, Linux iptables will act as a SIP-aware NAT that opens the ports dynamically depending on what's exchanged in the signaling. Err... and if you want to allow someone to connect to UDP port 5060 of your boxm what iptables trick should you use? My comment was about RTP/RTCP ports (I should have been clearer). SIP signaling ports will have to be opened statically. Although, for added security you could open the port as symmetric if you know the ip/port of someone that wants to connect to you as opposed to opening it in a full-cone way. Also, I'm curious as to what experience others have had with ip_nat_sip and ip_conntrack_sip modules. Do they really work? -- Raj Jain ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users