Difference between revisions of "Asterisk Hardening"
(Created page with "Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: adj@sacr…") |
|||
| Line 54: | Line 54: | ||
adj@sacredchao:/etc/asterisk$ |
adj@sacredchao:/etc/asterisk$ |
||
| − | Here ends the first lesson. Don't listen for network traffic. |
+ | Here ends the first lesson. Don't listen for network traffic. The Internet is not a nice place. |
Latest revision as of 23:07, 17 February 2012
Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address:
adj@sacredchao:~$ sudo lsof -p 12888 | grep IP asterisk 12888 asterisk 6u IPv4 1353742 0t0 TCP localhost:5038 (LISTEN) asterisk 12888 asterisk 13u IPv4 1353748 0t0 UDP *:iax asterisk 12888 asterisk 14u IPv4 1353756 0t0 UDP *:sip asterisk 12888 asterisk 15u IPv4 1353757 0t0 UDP *:2727 asterisk 12888 asterisk 16u IPv4 1353758 0t0 TCP *:cisco-sccp (LISTEN) asterisk 12888 asterisk 20u IPv4 1353763 0t0 UDP *:4520 asterisk 12888 asterisk 22u IPv4 1353764 0t0 UDP *:5000 adj@sacredchao:~$
This is a just-installed asterisk 1:1.8.8.2~dfsg-1~0.sacredchao.0. No configuration has been done. At all. Disturbing, what? Anyway, we only care about SIP here in Fnord-land, so we're going to turn all that extra stuff off. Applying this patch to /etc/asterisk/modules.conf has made it considerable less willing to talk:
--- modules.conf.dpkg-dist 2011-04-23 12:48:34.000000000 -0600 +++ modules.conf 2012-02-17 15:56:31.000000000 -0700 @@ -65,6 +65,13 @@ ; noload => res_config_odbc.so noload => res_config_pgsql.so + +; More stuff that should not be turned on by default: +noload => chan_iax2.so +noload => chan_mgcp.so +noload => chan_skinny.so +noload => chan_unistim.so +noload => pbx_dundi.so ; ; Module names listed in "global" section will have symbols globally ; exported to modules loaded after them.
Stop and re-start asterisk after this edit to have it take effect. Here's the lsof output after this change:
adj@sacredchao:/etc/asterisk$ sudo lsof -p 13487 | grep IP asterisk 13487 asterisk 6u IPv4 1354416 0t0 TCP localhost:5038 (LISTEN) asterisk 13487 asterisk 12u IPv4 1354423 0t0 UDP *:sip adj@sacredchao:/etc/asterisk$
The SIP port is still open to the world. Here's a patch to tighten it a bit:
--- sip.conf.dpkg-dist 2012-02-17 15:28:25.000000000 -0700
+++ sip.conf 2012-02-17 16:03:26.000000000 -0700
@@ -164,7 +164,7 @@
; depends on the operating system. On systems using glibc, AAAA records are given
; priority.
-udpbindaddr=0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
+udpbindaddr=172.16.0.1 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)
; When a dialog is started with another SIP endpoint, the other endpoint
Again, restart asterisk when done. New lsof output:
adj@sacredchao:/etc/asterisk$ sudo lsof -p 14621 -n | grep IP asterisk 14621 asterisk 6u IPv4 1358149 0t0 TCP 127.0.0.1:5038 (LISTEN) asterisk 14621 asterisk 12u IPv4 1358153 0t0 UDP 172.16.0.1:sip adj@sacredchao:/etc/asterisk$
Here ends the first lesson. Don't listen for network traffic. The Internet is not a nice place.