VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
voipsw at gmail.com
Guest
|
 Posted: Tue May 20, 2008 3:41 am Post subject: [asterisk-users] (Newbie)How to reduce security risks in ope |
 |
|
Please direct me to any usefull links to help secure my asterisk server once
these ports are opened.
Thanks
Shaun |
|
| Back to top |
|
 |
tzafrir.cohen at xorco...
Guest
|
| Posted: Tue May 20, 2008 4:03 am Post subject: [asterisk-users] (Newbie)How to reduce security risks in ope |
|
|
On Tue, May 20, 2008 at 10:41:28AM +0200, Shaun Wingrin wrote:
| Quote: | Please direct me to any usefull links to help secure my asterisk server once
these ports are opened.
|
http://search.yahoo.com/search?p=secure+asterisk+server
http://www.google.com/search?q=secure+asterisk+server
Now, do some basic reading and provide us the relevant information so we
can give you a more infrmed answer.
First and foremost: what are the threats? In what envirnment (LAN/WAN)
does it run? How much control do you have over the network?
What do you actually need it to do? What extra services must be run on
the same box besides Asterisk?
What Linux(?) distribution do you use? (read its relevant documentation
as well).
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir |
|
| Back to top |
|
|
rj2807 at gmail.com
Guest
|
| Posted: Tue May 20, 2008 5:46 am Post subject: [asterisk-users] (Newbie)How to reduce security risks in ope |
|
|
One way to make the system more secure would be by not opening these ports
statically in Linux iptables. I have not tested this, but Linux iptables
have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel
version 2.6.18. With these modules, Linux iptables will act as a SIP-aware
NAT that opens the ports dynamically depending on what's exchanged in the
signaling.
--
Raj Jain
On Tue, May 20, 2008 at 4:41 AM, Shaun Wingrin <voipsw at gmail.com> wrote:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080520/2996cd19/attachment.htm |
|
| Back to top |
|
|
tzafrir.cohen at xorco...
Guest
|
| Posted: Tue May 20, 2008 6:11 am Post subject: [asterisk-users] (Newbie)How to reduce security risks in ope |
|
|
On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote:
| Quote: | One way to make the system more secure would be by not opening these ports
statically in Linux iptables. I have not tested this, but Linux iptables
have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel
version 2.6.18. With these modules, Linux iptables will act as a SIP-aware
NAT that opens the ports dynamically depending on what's exchanged in the
signaling.
|
Err... and if you want to allow someone to connect to UDP port 5060 of
your boxm what iptables trick should you use?
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir |
|
| Back to top |
|
|
rj2807 at gmail.com
Guest
|
| Posted: Tue May 20, 2008 6:37 am Post subject: [asterisk-users] (Newbie)How to reduce security risks in ope |
|
|
On Tue, May 20, 2008 at 7:11 AM, Tzafrir Cohen <tzafrir.cohen at xorcom.com> wrote:
| Quote: |
On Tue, May 20, 2008 at 06:46:49AM -0400, Raj Jain wrote:
| Quote: | One way to make the system more secure would be by not opening these ports
statically in Linux iptables. I have not tested this, but Linux iptables
have shipped with ip_nat_sip and ip_conntrack_sip modules since kernel
version 2.6.18. With these modules, Linux iptables will act as a SIP-aware
NAT that opens the ports dynamically depending on what's exchanged in the
signaling.
|
Err... and if you want to allow someone to connect to UDP port 5060 of
your boxm what iptables trick should you use?
|
My comment was about RTP/RTCP ports (I should have been clearer). SIP
signaling ports will have to be opened statically. Although, for added
security you could open the port as symmetric if you know the ip/port
of "someone" that wants to connect to you as opposed to opening it in
a full-cone way. Also, I'm curious as to what experience others have
had with ip_nat_sip and ip_conntrack_sip modules. Do they really work?
--
Raj Jain |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
