VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
jra at baylink.com
Guest
|
 Posted: Thu Jun 12, 2008 8:53 am Post subject: [asterisk-users] Securing Asterisk and your network |
 |
|
On Thu, Jun 12, 2008 at 08:41:18AM -0500, Lyle Giese wrote:
| Quote: | Most recent hacks that I have first or second hand knowledge of
came from ssh issues. Most inexperienced admins will expose ssh
without using the 'allowgroups' option in their sshd_config and
will get hacked by someone logging in via ssh using a system
account with no password. The second thing to do with ssh is to
move it to another port to keep the script kiddies from pounding on
it. If there is a weak or missing password, they will find it.
|
This is true, and I'd forgotten to mention it.
Update your machine regularly, and always take security updates, even
if they cause breakage you have to chase down.
Additionally, you should install a brute-force-attack blocker:
http://www.la-samhna.de/library/brutessh.html
I like the tcp_wrappers version, but whatever suits you.
| Quote: | An encrypted USB thumbdrive is also a good storage device for
passwords. I use TrueCrypt and have the executable availble
unencrypted on the thumbdrive so I could plug it into almost any
machine and get to the encrypted data.
|
Though note that all currently extant hardware-secured thumbdrives are
snake oil.
I recommend Bruce Schneier's Password Safe (and not any of the other,
similarly named programs) if you feel the need to store a lot of
authentication credentials. Or get a BlackBerry and use theirs.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin) |
|
| Back to top |
|
 |
tzafrir.cohen at xorco...
Guest
|
| Posted: Thu Jun 12, 2008 3:09 pm Post subject: [asterisk-users] Securing Asterisk and your network |
|
|
On Thu, Jun 12, 2008 at 09:53:53AM -0400, Jay R. Ashworth wrote:
This is effectively another service listening. It is also a method for
an attacker to lock you out of the system.
See, for instance, http://www.ossec.net/en/attacking-loganalysis.html .
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir |
|
| Back to top |
|
|
jra at baylink.com
Guest
|
| Posted: Fri Jun 13, 2008 10:51 am Post subject: [asterisk-users] Securing Asterisk and your network |
|
|
On Thu, Jun 12, 2008 at 11:09:43PM +0300, Tzafrir Cohen wrote:
Sure; all in-band methods suffer from the possibility of becoming DoS
vectors. And yes, the fact that sshd doesn't quote that argument as it
drops it into the syslog, making it easier to see bogusness, is a bad
thing. But those log lines wouldn't fool *me*.
And if they fool your log analysis system, then it's regexes aren't
written tightly enough.
And, back on point, that particular sshblocker doesn't give a damn what
sshd writes in the syslog.
And, no, it's actually not another service listening.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin) |
|
| Back to top |
|
|
tzafrir.cohen at xorco...
Guest
|
| Posted: Fri Jun 13, 2008 12:43 pm Post subject: [asterisk-users] Securing Asterisk and your network |
|
|
On Fri, Jun 13, 2008 at 11:51:35AM -0400, Jay R. Ashworth wrote:
| Quote: | On Thu, Jun 12, 2008 at 11:09:43PM +0300, Tzafrir Cohen wrote:
Sure; all in-band methods suffer from the possibility of becoming DoS
vectors. And yes, the fact that sshd doesn't quote that argument as it
drops it into the syslog, making it easier to see bogusness, is a bad
thing. But those log lines wouldn't fool *me*.
And if they fool your log analysis system, then it's regexes aren't
written tightly enough.
|
Aparantly, getting the regex right is a bit trickier than people think.
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4321
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6302
So getting this regex right is probably a bit tricky.
| Quote: |
And, back on point, that particular sshblocker doesn't give a damn what
sshd writes in the syslog.
And, no, it's actually not another service listening.
|
It responds to external output. I can trigger it to run whenever I want.
Pretty close to a "service".
Consider e.g. a spam filter used by a mail server. It might just as well
have such remotely-exploitable security holes, if badly written. And the
attacker does not even need direct access to the system running the spam
filter.
Or Asterisk handling proxied SIP/IAX traffic.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir |
|
| Back to top |
|
|
jra at baylink.com
Guest
|
| Posted: Fri Jun 13, 2008 1:05 pm Post subject: [asterisk-users] Securing Asterisk and your network |
|
|
On Fri, Jun 13, 2008 at 08:43:44PM +0300, Tzafrir Cohen wrote:
That can happen.
| Quote: | | Quote: | And, back on point, that particular sshblocker doesn't give a damn what
sshd writes in the syslog.
And, no, it's actually not another service listening.
|
It responds to external output. I can trigger it to run whenever I want.
Pretty close to a "service".
|
Except that it's invisible to the outside world; it's a side-effect of
sshd, without even it's own port.
| Quote: | Consider e.g. a spam filter used by a mail server. It might just as well
have such remotely-exploitable security holes, if badly written. And the
attacker does not even need direct access to the system running the spam
filter.
Or Asterisk handling proxied SIP/IAX traffic.
|
Sure, in general, being very particular about the taintedness of your
data is an important security practice...
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra at baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com '87 e24
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Those who cast the vote decide nothing.
Those who count the vote decide everything.
-- (Joseph Stalin) |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
