Re: [asterisk-users] Is this doable?
On 02/08/2012 09:28 AM, Josh wrote: If one has internal networks, accessible via, say eth1 and tun0, and implements Asterisk to act as the internal/private PBX (without exposing it to the outside world), then having been forced to use 0.0.0.0 will, of course, expose Asterisk to any other - undesirable - interfaces, including those pointing to the outside world. OK. We can agree on that, but you haven't been clear that you're trying to keep Asterisk in a private network, and not make it publicly available. Had you simply said that you didn't want to bind to any interfaces that had routable addresses, you'd have made a lot more sense. Instead, you've objected to binding to a third or subsequent interface. I still think the idea that binding to 0.0.0.0 is a security risk is silly. Making an application available to the public when it doesn't need to be is, certainly. Making a service publicly available or not is a policy decision; binding to specific interfaces is a mechanism that can be used to implement that policy. Policy is where you manage security risks. Mechanisms aren't to blame for good or bad policy. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
http://www.asterisk.org/astdocs/node66.html
Thanks, never knew that!
Yes, I understand that it's not what you want, but that doesn't make
it a security concern. If Asterisk is publicly available on one
interface, making it available on another interface doesn't make you
less secure.
You lost me. What I want/don't want is largely irrelevant. The issue is,
as you rightly pointed out, whether it is considered more secure or less
secure when Asterisk binds to 0.0.0.0 as oppose to using a specific set
of interfaces, selected at startup.
If one has internal networks, accessible via, say eth1 and tun0, and
implements Asterisk to act as the internal/private PBX (without exposing
it to the outside world), then having been forced to use 0.0.0.0 will,
of course, expose Asterisk to any other - undesirable - interfaces,
including those pointing to the outside world.
By having the option to specify which interfaces Asterisk should use to
bind to (via multiple {udp,tcp}bind statements or by any other means)
Asterisk is *not* exposed to any undesirable interfaces and thus, the
risk is not there. I thought I have made that clear by now, obviously I
haven't, it seems.
It's fine if you want to take that step, but please drop the everyone
knows this is a security risk thing. You appear to be alone in that
opinion, and unable to explain why you think it's a security risk.
Moreover, you're speaking for others without warrant or welcome.
If you can't see why binding to 0.0.0.0 carries greater risk than
restricting Asterisk which interfaces to use, then you are truly blind
and beyond help, I am afraid.
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
On Wednesday, February 8, 2012, Josh mojo1...@privatedemail.net wrote:
http://www.asterisk.org/astdocs/node66.html
Thanks, never knew that!
Yes, I understand that it's not what you want, but that doesn't make it
a security concern. If Asterisk is publicly available on one interface,
making it available on another interface doesn't make you less secure.
You lost me. What I want/don't want is largely irrelevant. The issue is,
as you rightly pointed out, whether it is considered more secure or less
secure when Asterisk binds to 0.0.0.0 as oppose to using a specific set of
interfaces, selected at startup.
I don't get this. Didnt EVERYONE know it's insecure?
If one has internal networks, accessible via, say eth1 and tun0, and
implements Asterisk to act as the internal/private PBX (without exposing it
to the outside world), then having been forced to use 0.0.0.0 will, of
course, expose Asterisk to any other - undesirable - interfaces, including
those pointing to the outside world.
By having the option to specify which interfaces Asterisk should use to
bind to (via multiple {udp,tcp}bind statements or by any other means)
Asterisk is *not* exposed to any undesirable interfaces and thus, the risk
is not there. I thought I have made that clear by now, obviously I haven't,
it seems.
It's fine if you want to take that step, but please drop the everyone
knows this is a security risk thing. You appear to be alone in that
opinion, and unable to explain why you think it's a security risk.
Moreover, you're speaking for others without warrant or welcome.
If you can't see why binding to 0.0.0.0 carries greater risk than
restricting Asterisk which interfaces to use, then you are truly blind and
beyond help, I am afraid.
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
I don't get this. Didnt EVERYONE know it's insecure? Can you read? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
On Wednesday, February 8, 2012, Josh mojo1...@privatedemail.net wrote: I don't get this. Didnt EVERYONE know it's insecure? Can you read? Can everyone? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
It is indeed. This is already implemented in Asterisk I take it then? If so, brilliant news! More or less. I don't know if it's easy to trigger for specific caller ID values, or for none. You might need to to a little customization, but something mostly like what you describe is present. I am glad to see this! Which modules/functions present this functionality - do you know? I am almost certainly going to customise this as the screening of calls will be done using my own custom-defined criteria and the response options will also have to be customised/enhanced as well (how much really depends on what is currently implemented in Asterisk). Is there some kind of attack that you believe is possible on one interface that isn't on the other? I can't conceive of any way that making your service available on additional addresses increases your vulnerability. Of course it does - by making Asterisk service available on, say eth2 (by binding on 0.0.0.0 that is automatically enabled, i.e. Asterisk can receive packets coming from that interface). This is not what I want. If I could restrict Asterisk to bind only on the eth0 and eth1 for example, packets coming from that interface (eth2) won't affect Asterisk at all and they will either be dropped or rejected as nothing would listen on that address/port. I know that you may say netfilter/iptables is there to protect you, but the system will be more secure if Asterisk don't have the (physical) ability to answer requests coming from undesired interfaces - regardless of whether I have a fully-functional netfilter/iptables in place (even if it is compromised), rather than having Asterisk potentially answering such requests (by binding to 0.0.0.0) even if netfilter/iptables are functioning. In other words, having physically restricted Asterisk from answering requests coming from undesired interfaces (short of directly forwarding/routing packets from/to that interface) is better than allowing it do so and relying solely on netfilter/iptables for protection. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
On 02/07/2012 09:43 AM, Josh wrote: More or less. I don't know if it's easy to trigger for specific caller ID values, or for none. You might need to to a little customization, but something mostly like what you describe is present. I am glad to see this! Which modules/functions present this functionality - do you know? http://www.asterisk.org/astdocs/node66.html Is there some kind of attack that you believe is possible on one interface that isn't on the other? I can't conceive of any way that making your service available on additional addresses increases your vulnerability. Of course it does - by making Asterisk service available on, say eth2 (by binding on 0.0.0.0 that is automatically enabled, i.e. Asterisk can receive packets coming from that interface). This is not what I want. Yes, I understand that it's not what you want, but that doesn't make it a security concern. If Asterisk is publicly available on one interface, making it available on another interface doesn't make you less secure. It's fine if you want to take that step, but please drop the everyone knows this is a security risk thing. You appear to be alone in that opinion, and unable to explain why you think it's a security risk. Moreover, you're speaking for others without warrant or welcome. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
Your description sounds almost entirely like the existing call screening, so I'm pretty sure you'll be able to accomplish it. Start with call screening, and modify that to suit your needs. It is indeed. This is already implemented in Asterisk I take it then? If so, brilliant news! I'd encourage you not to give callers much information. If you tell callers that their number is blacklisted, or that the recipient is not available (and not offer them voicemail), they're likely to call back and provide different or no information. It'll be more effective to let them leave voicemail and then delete and ignore it. Just a suggestion. A good one, thanks for that - will take it on board. IP routing alone isn't actually sufficient (typically) to use multiple interfaces. Under Linux, you have to set up multiple routing tables, track connections, mangle reply packets (mark), and use 'ip rule' to select the proper routing table for the packet. If you haven't verified that replies go out the right interface, you should look. If you have, then ignore me. :) This is already done and works, though from my (admittedly limited) understanding of the sip protocol I know that internal IP address information is included in the actual packet. I know that I could use sip helpers (kernel modules), but just wanted to know whether I should rely on Asterisk to do this or whether I should do it via netfilter alone (in which case why are all the nat-related options present in Asterisk?). No... binding to 0.0.0.0 isn't a security risk. Typically applications bind to a specific address so that a single host can have multiple addresses, and an application or multiple applications can bind to specific addresses to implement virtual hosting. I disagree. Binding to 0.0.0.0 allows connections to be made from all interfaces (provided the routing allows it, of course) - see my previous post as I do not wish to repeat myself here. I do not wish to solely rely on iptables/netfilter/other means if I can constrain Asterisk to the interfaces it is supposed to be using. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
On 02/06/2012 03:29 PM, Josh wrote: Your description sounds almost entirely like the existing call screening, so I'm pretty sure you'll be able to accomplish it. Start with call screening, and modify that to suit your needs. It is indeed. This is already implemented in Asterisk I take it then? If so, brilliant news! More or less. I don't know if it's easy to trigger for specific caller ID values, or for none. You might need to to a little customization, but something mostly like what you describe is present. No... binding to 0.0.0.0 isn't a security risk. Typically applications bind to a specific address so that a single host can have multiple addresses, and an application or multiple applications can bind to specific addresses to implement virtual hosting. I disagree. Binding to 0.0.0.0 allows connections to be made from all interfaces (provided the routing allows it, of course) - see my previous post as I do not wish to repeat myself here. I do not wish to solely rely on iptables/netfilter/other means if I can constrain Asterisk to the interfaces it is supposed to be using. Is there some kind of attack that you believe is possible on one interface that isn't on the other? I can't conceive of any way that making your service available on additional addresses increases your vulnerability. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
On Thu, 2 Feb 2012, Josh wrote: Great subject, BTW. It'll make everyone's contribution so much easier for 'the next guy' to search for. Just feeling snarky on a Friday afternoon :) -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
Whats asterick? I blame my spell checker! :-P Do you have anything to offer in terms of help or advice on the issues/questions I posted? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
I think you might want to split your questions first. this might work from local ISP network, but in my experience it might depend on provider. 1. You can't have multiple externip, but it's not necessary to run two Asterisk instances, because you can set routes to different destinations via particular interfaces. On Thu, Feb 2, 2012 at 2:48 AM, Josh mojo1...@privatedemail.net wrote: I am trying to configure Asterick, having the following system setup on the Asterick server: * eth0 faces the external Internet interface, *but* it does not have IP address (it has a private one given to it by my ISP's DHCP server); * eth1 faces my internal network (say 10.1.1.0/24); * tun0 serves all mobile smartphones and connects to the internal network (it has a different ip range, say 10.1.2.0/24) - they are all connected via the Internet using OpenVPN; I would like to configure Asterick for internal calls between ourselves (eth1-tun0) and I think I have no problem with configuring this part. I would also like to use one external VOIP provider to which Asterick registers on startup. I think I know how to do that and use the register option in sip.conf, though I am not sure for the rest of the NAT-related entries (see below). The purpose of registering this external account is so that both the smart phones (tun0) and the internal net (eth1) users could use this account to make external calls (starting with 0, i.e _0[0-9]. pattern in extensioins.conf). Obviously, I need these calls to be routed properly via the external VOIP account. In addition to that, I would also need to receive calls from that external account to a nominated internal one (say on extension 20). Is this achievable? If so, I am not completely clear on whether I need to explicitly specify my public IP address (via externip/externhost) or whether Asterick is able to find it without this option? If not, then my plan is to use external program to find it and then use a script in Asterick to set it up as an environment variable. Would that work? That external IP address is going to change, but only in rare circumstances and in such cases I have to restart a lot of stuff (including Asterick) on that server (this is usually triggered by a monitoring program), so it won't be a problem once it is setup initially. I am also not sure whether to specify nat=yes or just have nat=route only - any ideas? Is there a comprehensive list of all the options available in sip.conf and what they do, because I was unable to find such a list? If the above is doable, I would also like to add the following 2 features: 1. Secondary external VOIP account, though I have no idea how to specify its port in register (it uses port 5065 instead of the standard 5060). That account would need to be used on a separate interface (eth2) with a different public IP address. Would it be possible to use externip/externhost inside that external account section to specify it? If this is not possible, then I am thinking of running a separate instance of Asterick with the second VOIP account/public IP address set up - would that work? 2. I would like to be able to configure the following work flow: for a specific set of (external) calling numbers (including where no Caller ID is available): a) these callers to be prompted to specify the reason for their call; b) their response to be temporarily recorded/stored (a short message of, say no more than 10 seconds long or when they press '#' for that recording to stop); c) Asterick then rings the nominated number for external VOIP calls (extension 20) and play that recorded message back; d) then asks for one of four possible outcomes: - accept this call (pressing, say 1) in which case the call is connected as normal; - reject it with a message that that number/person is unavailable (say, by pressing 0); - ask the caller to leave a message by transferring them to a voicemail (say by pressing 2); or - end the initial call completely with a message that the caller/number has been blacklisted (say, by pressing the 9 key); Could this be achieved? One final question about binding: in order to be able to use both tun0 and eth1 interfaces so that Asterick serves the calls from both eth1 and tun0, do I have to use bind 0.0.0.0? Is there an alternative, like specifying bind 10.1.1.1 for eth1 and then bind 10.1.2.1 for the tun0 interface - is this possible? Many thanks in advance! -- __**__**_ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/**mailman/listinfo/asterisk-**usershttp://lists.digium.com/mailman/listinfo/asterisk-users -- Mvh, Aurimas Skirgaila --
Re: [asterisk-users] Is this doable?
I think you might want to split your questions first. I thought that instead of creating a dozen different threads (and clogging the ML in the process) it would be better to put everything into one place - just pick the issue (or issues) you could address and leave (i.e. delete) the rest out. 1. You can't have multiple externip, but it's not necessary to run two Asterisk instances, because you can set routes to different destinations via particular interfaces. I have no problems with the routing - that is already done. I am not certain how Asterisk handles a stream running across multiple interfaces and how the packet NAT is done. I am also aware that SIP packets embed the IP address in it so not sure how this is handled either. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Is this doable?
Whats asterick? On Wed, Feb 1, 2012 at 7:48 PM, Josh mojo1...@privatedemail.net wrote: I am trying to configure Asterick, having the following system setup on the Asterick server: * eth0 faces the external Internet interface, *but* it does not have IP address (it has a private one given to it by my ISP's DHCP server); * eth1 faces my internal network (say 10.1.1.0/24); * tun0 serves all mobile smartphones and connects to the internal network (it has a different ip range, say 10.1.2.0/24) - they are all connected via the Internet using OpenVPN; I would like to configure Asterick for internal calls between ourselves (eth1-tun0) and I think I have no problem with configuring this part. I would also like to use one external VOIP provider to which Asterick registers on startup. I think I know how to do that and use the register option in sip.conf, though I am not sure for the rest of the NAT-related entries (see below). The purpose of registering this external account is so that both the smart phones (tun0) and the internal net (eth1) users could use this account to make external calls (starting with 0, i.e _0[0-9]. pattern in extensioins.conf). Obviously, I need these calls to be routed properly via the external VOIP account. In addition to that, I would also need to receive calls from that external account to a nominated internal one (say on extension 20). Is this achievable? If so, I am not completely clear on whether I need to explicitly specify my public IP address (via externip/externhost) or whether Asterick is able to find it without this option? If not, then my plan is to use external program to find it and then use a script in Asterick to set it up as an environment variable. Would that work? That external IP address is going to change, but only in rare circumstances and in such cases I have to restart a lot of stuff (including Asterick) on that server (this is usually triggered by a monitoring program), so it won't be a problem once it is setup initially. I am also not sure whether to specify nat=yes or just have nat=route only - any ideas? Is there a comprehensive list of all the options available in sip.conf and what they do, because I was unable to find such a list? If the above is doable, I would also like to add the following 2 features: 1. Secondary external VOIP account, though I have no idea how to specify its port in register (it uses port 5065 instead of the standard 5060). That account would need to be used on a separate interface (eth2) with a different public IP address. Would it be possible to use externip/externhost inside that external account section to specify it? If this is not possible, then I am thinking of running a separate instance of Asterick with the second VOIP account/public IP address set up - would that work? 2. I would like to be able to configure the following work flow: for a specific set of (external) calling numbers (including where no Caller ID is available): a) these callers to be prompted to specify the reason for their call; b) their response to be temporarily recorded/stored (a short message of, say no more than 10 seconds long or when they press '#' for that recording to stop); c) Asterick then rings the nominated number for external VOIP calls (extension 20) and play that recorded message back; d) then asks for one of four possible outcomes: - accept this call (pressing, say 1) in which case the call is connected as normal; - reject it with a message that that number/person is unavailable (say, by pressing 0); - ask the caller to leave a message by transferring them to a voicemail (say by pressing 2); or - end the initial call completely with a message that the caller/number has been blacklisted (say, by pressing the 9 key); Could this be achieved? One final question about binding: in order to be able to use both tun0 and eth1 interfaces so that Asterick serves the calls from both eth1 and tun0, do I have to use bind 0.0.0.0? Is there an alternative, like specifying bind 10.1.1.1 for eth1 and then bind 10.1.2.1 for the tun0 interface - is this possible? Many thanks in advance! -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
