> The best thing to do is to use a known security model. I'm thinking
> about Linux vs SeLinux which is a security layer over linux. So, why
> don't we have the classic asterisk product and a
> asterisk-security-enhanced module that will, if enabled, analyze and
> block all security holes.
Blocking all KNOWN security holes is one thing. Blocking ALL security
holes is impossible.
Using SeLinux still relies on one knowing which boxes to check and
uncheck, what happens when you check or uncheck a box, and how to
configure it to be secure. Besides, it's overkill if you are running an
Asterisk box.
* Firewall: block everything, allow 5060, 10000-20000, 22
* Anti-brute force tools
* SSH with keys ONLY
* secure, random, long passwords
* keep software and OS up to date
That's it.
(maybe open a few other ports, depending on your config; AGI, Manager,
etc, but those should be IP restricted AND have really good passwords
where applicable).
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-biz
Posts
No comments:
Post a Comment