Asterisk Hardening

From FnordWiki
Revision as of 23:07, 17 February 2012 by Adj (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Asterisk (at least v1.8.8.x as packaged by Debian), is quite promiscuous, accepting network connections on all kinds of TCP and UDP sockets with a wildcard IP address: 

adj@sacredchao:~$ sudo lsof -p 12888 | grep IP
asterisk 12888 asterisk    6u  IPv4            1353742      0t0     TCP localhost:5038 (LISTEN)
asterisk 12888 asterisk   13u  IPv4            1353748      0t0     UDP *:iax 
asterisk 12888 asterisk   14u  IPv4            1353756      0t0     UDP *:sip 
asterisk 12888 asterisk   15u  IPv4            1353757      0t0     UDP *:2727 
asterisk 12888 asterisk   16u  IPv4            1353758      0t0     TCP *:cisco-sccp (LISTEN)
asterisk 12888 asterisk   20u  IPv4            1353763      0t0     UDP *:4520 
asterisk 12888 asterisk   22u  IPv4            1353764      0t0     UDP *:5000 
adj@sacredchao:~$

This is a just-installed asterisk 1:1.8.8.2~dfsg-1~0.sacredchao.0. No configuration has been done. At all. Disturbing, what? Anyway, we only care about SIP here in Fnord-land, so we're going to turn all that extra stuff off. Applying this patch to /etc/asterisk/modules.conf has made it considerable less willing to talk: 

--- modules.conf.dpkg-dist      2011-04-23 12:48:34.000000000 -0600
+++ modules.conf        2012-02-17 15:56:31.000000000 -0700
@@ -65,6 +65,13 @@
 ;
 noload => res_config_odbc.so
 noload => res_config_pgsql.so
+
+; More stuff that should not be turned on by default:
+noload => chan_iax2.so
+noload => chan_mgcp.so
+noload => chan_skinny.so
+noload => chan_unistim.so
+noload => pbx_dundi.so
 ;
 ; Module names listed in "global" section will have symbols globally
 ; exported to modules loaded after them.

Stop and re-start asterisk after this edit to have it take effect. Here's the lsof output after this change: 

adj@sacredchao:/etc/asterisk$ sudo lsof -p 13487 | grep IP
asterisk 13487 asterisk    6u  IPv4            1354416      0t0     TCP localhost:5038 (LISTEN)
asterisk 13487 asterisk   12u  IPv4            1354423      0t0     UDP *:sip 
adj@sacredchao:/etc/asterisk$

The SIP port is still open to the world. Here's a patch to tighten it a bit: 

--- sip.conf.dpkg-dist  2012-02-17 15:28:25.000000000 -0700
+++ sip.conf    2012-02-17 16:03:26.000000000 -0700
@@ -164,7 +164,7 @@
 ; depends on the operating system. On systems using glibc, AAAA records are given
 ; priority.
 
-udpbindaddr=0.0.0.0             ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
+udpbindaddr=172.16.0.1          ; IP address to bind UDP listen socket to (0.0.0.0 binds to all)
                                 ; Optionally add a port number, 192.168.1.1:5062 (default is port 5060)
 
 ; When a dialog is started with another SIP endpoint, the other endpoint

Again, restart asterisk when done. New lsof output: 

adj@sacredchao:/etc/asterisk$ sudo lsof -p 14621 -n | grep IP
asterisk 14621 asterisk    6u  IPv4            1358149      0t0     TCP 127.0.0.1:5038 (LISTEN)
asterisk 14621 asterisk   12u  IPv4            1358153      0t0     UDP 172.16.0.1:sip 
adj@sacredchao:/etc/asterisk$

Here ends the first lesson. Don't listen for network traffic. The Internet is not a nice place.

Retrieved from "https://wiki.fnord.greeley.co.us/mediawiki/index.php?title=Asterisk_Hardening&oldid=113"