Adj at 23:07, 17 February 2012

2012-02-17T23:07:58Z

← Older revision		Revision as of 23:07, 17 February 2012
Line 54:		Line 54:
	adj@sacredchao:/etc/asterisk$		adj@sacredchao:/etc/asterisk$

	Here ends the first lesson. Don't listen for network traffic.		Here ends the first lesson. Don't listen for network traffic. The Internet is not a nice place.

Adj: Created page with "Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: adj@sacr…"

2012-02-17T23:07:31Z

Created page with "Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: adj@sacr…"

New page

Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address:

adj@sacredchao:~$ sudo lsof -p 12888 | grep IP
asterisk 12888 asterisk 6u IPv4 1353742 0t0 TCP localhost:5038 (LISTEN)
asterisk 12888 asterisk 13u IPv4 1353748 0t0 UDP *:iax
asterisk 12888 asterisk 14u IPv4 1353756 0t0 UDP *:sip
asterisk 12888 asterisk 15u IPv4 1353757 0t0 UDP *:2727
asterisk 12888 asterisk 16u IPv4 1353758 0t0 TCP *:cisco-sccp (LISTEN)
asterisk 12888 asterisk 20u IPv4 1353763 0t0 UDP *:4520
asterisk 12888 asterisk 22u IPv4 1353764 0t0 UDP *:5000
adj@sacredchao:~$

This is a just-installed asterisk 1:1.8.8.2~dfsg-1~0.sacredchao.0. No configuration has been done. At all. Disturbing, what? Anyway, we only care about SIP here in Fnord-land, so we're going to turn all that extra stuff off. Applying this patch to /etc/asterisk/modules.conf has made it considerable less willing to talk:
--- modules.conf.dpkg-dist 2011-04-23 12:48:34.000000000 -0600
+++ modules.conf 2012-02-17 15:56:31.000000000 -0700
@@ -65,6 +65,13 @@
;
noload => res_config_odbc.so
noload => res_config_pgsql.so
+
+; More stuff that should not be turned on by default:
+noload => chan_iax2.so
+noload => chan_mgcp.so
+noload => chan_skinny.so
+noload => chan_unistim.so
+noload => pbx_dundi.so
;
; Module names listed in "global" section will have symbols globally
; exported to modules loaded after them.

Stop and re-start asterisk after this edit to have it take effect. Here's the lsof output after this change:
adj@sacredchao:/etc/asterisk$ sudo lsof -p 13487 | grep IP
asterisk 13487 asterisk 6u IPv4 1354416 0t0 TCP localhost:5038 (LISTEN)
asterisk 13487 asterisk 12u IPv4 1354423 0t0 UDP *:sip
adj@sacredchao:/etc/asterisk$

The SIP port is still open to the world. Here's a patch to tighten it a bit:
--- sip.conf.dpkg-dist 2012-02-17 15:28:25.000000000 -0700
+++ sip.conf 2012-02-17 16:03:26.000000000 -0700
@@ -164,7 +164,7 @@
; depends on the operating system. On systems using glibc, AAAA records are given
; priority.

-udpbindaddr=0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
+udpbindaddr=172.16.0.1 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)

; When a dialog is started with another SIP endpoint, the other endpoint

Again, restart asterisk when done. New lsof output:
adj@sacredchao:/etc/asterisk$ sudo lsof -p 14621 -n | grep IP
asterisk 14621 asterisk 6u IPv4 1358149 0t0 TCP 127.0.0.1:5038 (LISTEN)
asterisk 14621 asterisk 12u IPv4 1358153 0t0 UDP 172.16.0.1:sip
adj@sacredchao:/etc/asterisk$

Here ends the first lesson. Don't listen for network traffic.

Asterisk Hardening - Revision history

Adj at 23:07, 17 February 2012

Adj: Created page with "Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: adj@sacr…"