Asterisk Hardening

From FnordWiki
Jump to navigation Jump to search

Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: 

adj@sacredchao:~$ sudo lsof -p 12888 | grep IP
asterisk 12888 asterisk    6u  IPv4            1353742      0t0     TCP localhost:5038 (LISTEN)
asterisk 12888 asterisk   13u  IPv4            1353748      0t0     UDP *:iax 
asterisk 12888 asterisk   14u  IPv4            1353756      0t0     UDP *:sip 
asterisk 12888 asterisk   15u  IPv4            1353757      0t0     UDP *:2727 
asterisk 12888 asterisk   16u  IPv4            1353758      0t0     TCP *:cisco-sccp (LISTEN)
asterisk 12888 asterisk   20u  IPv4            1353763      0t0     UDP *:4520 
asterisk 12888 asterisk   22u  IPv4            1353764      0t0     UDP *:5000 
adj@sacredchao:~$

This is a just-installed asterisk 1:1.8.8.2~dfsg-1~0.sacredchao.0. No configuration has been done. At all. Disturbing, what? Anyway, we only care about SIP here in Fnord-land, so we're going to turn all that extra stuff off. Applying this patch to /etc/asterisk/modules.conf has made it considerable less willing to talk: 

--- modules.conf.dpkg-dist      2011-04-23 12:48:34.000000000 -0600
+++ modules.conf        2012-02-17 15:56:31.000000000 -0700
@@ -65,6 +65,13 @@
 ;
 noload => res_config_odbc.so
 noload => res_config_pgsql.so
+
+; More stuff that should not be turned on by default:
+noload => chan_iax2.so
+noload => chan_mgcp.so
+noload => chan_skinny.so
+noload => chan_unistim.so
+noload => pbx_dundi.so
 ;
 ; Module names listed in "global" section will have symbols globally
 ; exported to modules loaded after them.

Stop and re-start asterisk after this edit to have it take effect. Here's the lsof output after this change: 

adj@sacredchao:/etc/asterisk$ sudo lsof -p 13487 | grep IP
asterisk 13487 asterisk    6u  IPv4            1354416      0t0     TCP localhost:5038 (LISTEN)
asterisk 13487 asterisk   12u  IPv4            1354423      0t0     UDP *:sip 
adj@sacredchao:/etc/asterisk$

The SIP port is still open to the world. Here's a patch to tighten it a bit: 

--- sip.conf.dpkg-dist  2012-02-17 15:28:25.000000000 -0700
+++ sip.conf    2012-02-17 16:03:26.000000000 -0700
@@ -164,7 +164,7 @@
 ; depends on the operating system. On systems using glibc, AAAA records are given
 ; priority.
 
-udpbindaddr=0.0.0.0             ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
+udpbindaddr=172.16.0.1          ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
                                 ; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)
 
 ; When a dialog is started with another SIP endpoint, the other endpoint

Again, restart asterisk when done. New lsof output: 

adj@sacredchao:/etc/asterisk$ sudo lsof -p 14621 -n | grep IP
asterisk 14621 asterisk    6u  IPv4            1358149      0t0     TCP 127.0.0.1:5038 (LISTEN)
asterisk 14621 asterisk   12u  IPv4            1358153      0t0     UDP 172.16.0.1:sip 
adj@sacredchao:/etc/asterisk$

Here ends the first lesson. Don't listen for network traffic. The Internet is not a nice place.

Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=Asterisk_Hardening&oldid=113"