SlideShare una empresa de Scribd logo

Asterisksecuritykingasterisk 130723131448-phpapp01

Descargar como PPT, PDF
King Astreisk Technologies
King Astreisk Technologies

About Asterisk Information

EducaciónTecnología
1 de 81
Asterisk Stability & Security with kingasterisk Protect your investment www.kingasterisk.com Skype : kingasterisk
Introduction  What if the server goes down ?  What if someone hacks into your 8 e1 asterisk server and makes calls to inmarsat ?  Inmarsat : 5 euro / min. In 24 hours, on 8 e1s  1728000 euro
Overview  Asterisk Performance Update  Asterisk Stability  Asterisk Security  Asterisk Monitoring
Asterisk Performance Update  Updates since Astricon 2004: - Smaller memory footprint - Less file descriptors used - Memory leaks found / removed - Less RTP ports opened - Codec optimizations (especially Speex) - Hardware echo canceller - FastAGI - Realtime - Remote MOH - ds3000 / te411p - Channel walk optimization
Astertest Testlab
Astertest Cables
Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
Asterisk Stability  Hardware reliability  Software stability
Asterisk Stability – Hardware Reliability  What is the cost of having no PBX service for your company ?  What if you are an ISP and your customers can’t dial out ?
Asterisk Stability – Hardware Reliability  What if you experience: - power outage ? - a broken HD ? - a broken Zaptel card ? - a broken server ? - no Internet connectivity ?
Asterisk Stability – Hardware Reliability  Power outage:  Traditional phones are self powered. Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router,…  If you have a low power PBX, the phone system could run for hours on a small UPS.  Don’t use Ethernet over power for mission critical phone lines.
Asterisk Stability – Hardware Reliability  A broken HD ?  Use raid > 0  SCSI has a bigger mean time to failure.  Flashdisks, realtime, netboot, live CD’s.
Asterisk Stability – Hardware Reliability  A broken Zaptel card or a broken server ?  Make sure you have a replacement, (maybe even hot standby) with all the modules you need, jumpers already set,…
Asterisk Stability – Hardware Reliability  No Internet connectivity ?  Spare router / modem / switch ?  Failover Internet connection ?  Failover to / from PSTN ?
Label all cables!!
Asterisk Stability / Quality Updates Software related since Astricon ‘04  Real CVS-stable / CVS-head (Thanks Russell!)  Major cleanups / code audits.  New h323 channel coming (chan_ooh323)  Packet Loss Concealment  IAX2 / SIP jitter buffer (mantis 3854)  A lot of libpri, chan_sip, chan_h323 changes for    better compatibility / stability. DUNDi (easier load balancing with round robin DNS) OSP Kernel 2.6.11.x
Changes in hardware reliability  New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, …).  New drivers with a lot of bug fixes and optimizations.  End of life for x100p and Tormenta cards.  Hardware echo cancellers -> lower CPU load -> more calls it can handle before asterisk turns unstable.
* reliability / stability recommendations  Use decent but not exotic hardware  Put Zaptel on a different PCI-bus than Nics and      video cards. Read tutorials on interrupts, APIC and other common problems. Load test your setup Design a failover system Noload unused modules Use recent firmware Zaptel cards
* reliability / stability recommendations  Use a stable Asterisk version.  Take a common OS -> Linux.  Test software upgrades in a test lab.  Stay away from experimental Asterisk modules -> h323, skinny.  Don’t patch production Asterisk servers.  Keep your old Asterisk binaries after an upgrade for easy restore of known working versions.
Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
Asterisk server monitoring  NAGIOS   http://karlsbakk.net/asterisk/  http://megaglobal.net/docs/asterisk/html/asteri  Argus: http://argus.tcp4me.com/  SNMP: http://www.faino.it/en/asterisk.html
Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
Asterisk Configuration Stupidity  Dial plan security  SIP.conf  IAX2.conf  Manager.conf  Billing problems
Dial plan security  - Extension hopping  - CallerID based protections  - _.  - Demo context  - User access to the dial plan  - Be careful with the default context  - Limit simultaneous calls
Extension hopping  User can reach ANY extension in the current context: [internal] exten => intro,1,Background(question); exten => 1,spanish,Goto(Spanish) exten => 2,english,Goto(English) exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
CallerID based protection exten => _X.,1,GotoIf($[“$ {CALLERIDNUM}”=“32134”?3); exten => _X.,2,Hangup(); exten => _X.,3,Dial(${EXTEN});  When not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!
Inappropriate use of _.  _. Would match EVERYTHING! (also fax, hang up, invalid, timeout,….) Example: exten => _.,1,Playback(blah); exten => _.,2,Hangup;  Causing a FAST LOOP. (changed in CVS-head)
demo context  Not a real security risk  But… Someone might play with your system and use up your bandwidth, make prank calls to Digium, make Mark Spencer very unhappy and cause him to introduce you to a very big shotgun…
User access to the dialplan  - AMP and other GUI’s might allow the ISP’s user to change a dial plan in his own context. E.g.: hosted PBX’s  - Goto / GotoIf / dial(Local/…) -> context hopping.  - System -> could do anything
Default context  Example: [default] Include outgoing; Include internal; OH OH OH, guest calls will go to the default context!!!!!
Context usage:  A call has two legs, the used context is the context defined for that user/channel in the config file for that protocol. E.g: - Zap to sip call: context set in zapata.conf is used - SIP to IAX2 call: context in sip.conf is used
Context usage:  In sip.conf, zapata.conf, iax2.conf… A default context is defined, if there is no specific context setting for this channel or user, than the default context is used!
Limit simultaneous calls  Sometimes you don’t want a user to make multiple simultaneous calls.  E.g.: prepay / calling cards Solution: setgroup, checkgroup (don’t trust incominglimit.) exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1) Only good if the CallerID cannot be spoofed !!!! Consider using accountcode for this.
Sip.conf               Default context Bindport, bindhost, bindip [username] vs username= Permit, deny, mask Insecure=yes, very, no User vs peer vs friend Allowguest Autocreatepeer Pedantic Ospauth Realm Md5secret User authentication logic Username= vs [username]
Bindport, bindhost,bindip  If you only use sip for internal calls, don’t put bindip=0.0.0.0 but limit it to the internal IP.  Changing the bindport to a non 5060 port might save you from portscan sweeps for this port.
Permit, deny, mask  Disallow everything, then allow per user the allowed hosts or ranges. (Multiple are allowed.)
SIP.conf – insecure option Insecure = …  No: the default, always ask for authentication  Yes: To match a peer based by IP address only    and not peer. Insecure=very ; allows registered hosts to call without re-authenticating, by ip address Insecure=port; we don’t care if the portnumber is different than when they registered Insecure=invite; every invite is accepted.
User vs Peer vs Friend in SIP  USER: never registers only makes calls  PEER: can register + can make calls. [user1] type=user [user1] type=peer Is allowed and the same as type=friend if the other parameters are identical!!!
Allowguest =…  True: unauthenticated users will arrive in the default context as defined in sip.conf  False: unauthenticated users will get a permission denied error message.  OSP: to allow guest access for voip traffic coming from an OSP server.
autocreatepeer  The autocreatepeer option allows, if set to Yes, any SIP UA to register with your Asterisk PBX as a peer. This peer's settings will be based on global options. The peer's name will be based on the user part of the Contact: header field's URL.  This is of course a very high security risk if you haven't got control of access to your server. © Olle
Pedantic  Defaults to pedantic=no  If enabled, this might allow a denial of service by sending a lot of invites, causing a lot of (slow) DNS lookups.
Realm  Realm=Asterisk; Realm for digest authentication ; Defaults to “Asterisk" ; Realms MUST be globally unique according to RFC 3261 ; Set this to your host name or domain name
How is authentication done?  chan_sip.c: /* Whoever came up with the authentication section of SIP can suck my %*!#$ for not putting an example in the spec of just what it is you're doing a hash on. */
How is authentication done?  Look at FROM header in SIP message for the username: -> browse sip.conf for a type=user with that username If found -> check the md5 If not found, -> browse sip.conf for a type=peer with that username -> browse sip.conf for an (registered) IP where the request is coming from if insecure=very, no more checks are done if insecure=port, if they are willing to authenticate, even if they are calling from a different port than they registered with. (used for NAT not using the same port number every time). otherwise, check the md5 + allow/deny.   If no peer found ? do we allow guest access (allowguest=true ?) Yes? OK, allow send it to the default context, if not reject.
Secret vs md5secret  With SIP all passwords are md5 encrypted when sending the packets, but are stored in plaintext in sip.conf  [user]  Secret=blabla
Secret vs md5secret  echo - n "<user>:<realm>:<secret>" | md5sum  E.g.: echo -n "user:asterisk:blabla" | md5sum e1b588233e4bc8645cc0da24d8cb848d [user] md5secret=e1b588233e4bc8645cc0da24d8cb848d
Username= vs [username]  [username] is for authentication a client connecting to asterisk. Username=… is to have your asterisk server authenticate to another SIP server.
Iax.conf  auth=plaintext,md5,rsa  User authentication logic  Default context  [username] vs username=  Permit, deny, mask  Bindport, bindhost, bindip  User vs peer vs friend
iax.conf - auth  Plaintext: passes are sent in plaintext  Md5: encrypt the password with md5  RSA: use public key / private key – uses AES.
User vs Peer vs friend  USER: can only accept calls  PEER: can only make calls  FRIEND: can do both [user1] type=user [user1] type=peer Is allowed!!!
How is authentication done?  In iax2: (cvs-head!!) Pseudocode: Is username supplied ? -> yes -> matched against iax.conf users starting bottom to top. user found ? -> yes : is IP in allowed / disallowed list ? yes –> does password match ? yes -> does requested context match a context=… line? -> no -> is a password given ? -> yes : Asterisk will look bottom to top for a user with this password, -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted. -> no: Asterisk will look bottom to top for a user without password. -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted.
 Add a last entry in iax.conf with no password to force nosecret access into a specific context.  If you use realtime, don’t have any user without a password and without permit/deny.
Manager.conf [general] enabled = yes port = 5038 bindaddr = 0.0.0.0 [zoa] secret = blabla deny=0.0.0.0/0.0.0. permit=221.17.246.77/255.255.255.0 permit=127.0.0.1/255.255.255.0 read = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,user
Manager.conf  No encryption is used, even the password is sent in plaintext.  Don’t enable it on a public IP.  Use http://www.stunnel.org/  Watch out with management programs with direct interface to the manager.  Limit the privileges per user (especially the system!!!).
Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
Asterisk Hardening            Asterisk as non-root user Asterisk in CHROOT Asterisk in a JAIL Asterisk with limited read / write permissions ZAPTEL kernel modules Asterisk firewalling / shaping / NAT Tty9 Linux hardening Remote logging Tripwire Limit running system processes
Asterisk as non root user adduser --system --home /var/lib/asterisk --no-create-home Asterisk chown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /dev/zap chown -r root:asterisk /etc/asterisk chmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /etc/asterisk chown asterisk /dev/tty9 su asterisk -c /usr/sbin/safe_asterisk or Asterisk -U asterisk -G asterisk
Asterisk with limited read / write permissions  Asterisk has no write permissions for its config files and is running as non root ?  In the unlikely event of someone breaking in through Asterisk, your dial plan is still vulnerable through the CLI or the manager.
Asterisk in chroot  Changes the root directory visible to asterisk to e.g. /foo/bar  Pretty useless if asterisk is running as root and perl or gcc is available.
Asterisk in a jail  Changes the root   directory visible to Asterisk. Limits the commands / programs any user in this jail can execute to a list you specify. Expansion of chroot.
Zaptel kernel modules  Zaptel is module only, cannot be put into the kernel.  Hackers like to hide in a module, they can backdoor a module, compile it, load it in memory and remove all traces on the disk.  You could have the kernel check an md5 for the  Zaptel modules. I think Matt Frederickson compiled them in the kernel before.
Firewalling / shaping / NAT  Block everything except the ports you really want. (5060, 4569, …)  RTP ports are a big pita (see rtp.conf) Sidenote: you might want to check your ISP is not blocking anything in the range defined in RTP.conf
Limit access to tty9  safe_asterisk opens a console on tty9. This does not require a password and will provide a root shell to anyone passing by. (by using !command on the CLI).  Remove the offending line, or don’t use safe_asterisk
Linux Hardening  GRsec (2.6.x)  Openwall (2.4.x)  Remove all unneeded things.
Remote logging  Remote syslog  Put Asterisk log files (and other log files on a remote server).
Tripwire  Make hashes of all the important files on the server and check them for changes you didn’t do.
Limit server processes  An Asterisk server should be only: - OS + ASTERISK. No database No APACHE No PHP (If you really need those, and don’t have enough servers, don’t put them on a public IP and firewall them!!!!)
Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
Asterisk privacy  Encryption  Monitoring  CallerID spoofing  CallingPRES
Call Encryption - SIP  SRTP -> method to encrypt voice packets.  TLS -> method to encrypt signaling packets. Both are not yet supported by asterisk. Bounty on voip-info.org.
Call Encryption – IAX2  30/12/2004 2:07 Modified Files: chan_iax2.c iax2-parser.c iax2-parser.h iax2.h Log Message: Minor IAX2 fixes, add incomplete-but-verybasically-functional IAX2 encryption. It would support any type of encryption you like. -> Doesn’t work yet.
Call Encryption – General solution  Send you packets through a VPN or tunnel.  Use only UDP tunnels to avoid delays. Known to work: IPSEC, VTUN, OPENVPN.
Call Encryption – Tunnel solution Advantage, CPU expensive encryption can happen on dedicated machine.  Disadvantage: doesn’t work on hardphones or ATA’s without adding an extra server in front of them.
Monitoring  ZapBarge  ChanSpy  Monitor Thank you Very Much......!!! For More Information www.kingasterisk.com

Recomendados

Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !Francesco Prior
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails applicationclucasKrof
 

Recomendados

Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !Francesco Prior
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraudFlavio Eduardo de Andrade Goncalves
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
Securing your Rails application
Securing your Rails applicationSecuring your Rails application
Securing your Rails applicationclucasKrof
 
Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !Francesco Prior
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt書廷 林
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approachBangladesh Network Operators Group
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
 
All about routers
All about routersAll about routers
All about routersagwanna
 
Spoto updated new
Spoto updated newSpoto updated new
Spoto updated newAmolDhoke3
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotFNian
 
Solve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesSolve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesNiklas Quarfot Nielsen
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_ebEdgar Benavente
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For VoipSandro Gauci
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dumpAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 
05 06 ike
05 06 ike05 06 ike
05 06 ikeBabaa Naya
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingVi Tính Hoàng Nam
 
Recurso
RecursoRecurso
Recursodocs2010
 
Best Motivational Quotes
Best Motivational QuotesBest Motivational Quotes
Best Motivational QuotesKing Astreisk Technologies
 

Más contenido relacionado

La actualidad más candente

DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking ReportSynack
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewIPv6 Conference
 
300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
 
All about routers
All about routersAll about routers
All about routersagwanna
 
Spoto updated new
Spoto updated newSpoto updated new
Spoto updated newAmolDhoke3
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotFNian
 
Solve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesSolve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesNiklas Quarfot Nielsen
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For VoipSandro Gauci
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videorobbuddingh
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Cisco Security
 

La actualidad más candente (20)

Asterisk: dongled !
Asterisk: dongled !Asterisk: dongled !
Asterisk: dongled !
 
Let's encrypt
Let's encryptLet's encrypt
Let's encrypt
 
Securing Asterisk: A practical approach
Securing Asterisk: A practical approachSecuring Asterisk: A practical approach
Securing Asterisk: A practical approach
 
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Home Automation Benchmarking Report
Home Automation Benchmarking ReportHome Automation Benchmarking Report
Home Automation Benchmarking Report
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of ViewEric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
 
300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing300 101 Dumps - Implementing Cisco IP Routing
300 101 Dumps - Implementing Cisco IP Routing
 
All about routers
All about routersAll about routers
All about routers
 
Spoto updated new
Spoto updated newSpoto updated new
Spoto updated new
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric Pilot
 
Solve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with KubernetesSolve the colocation conundrum: Performance and density at scale with Kubernetes
Solve the colocation conundrum: Performance and density at scale with Kubernetes
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
Scanning The Intertubes For Voip
Scanning The Intertubes For VoipScanning The Intertubes For Voip
Scanning The Intertubes For Voip
 
Holland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_videoHolland safenet livehack hid usb pineapple_cain_oph_with_video
Holland safenet livehack hid usb pineapple_cain_oph_with_video
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
 
05 06 ike
05 06 ike05 06 ike
05 06 ike
 
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hackingCeh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
 

Destacado

Stuart Patterson Project Experience
Stuart Patterson Project ExperienceStuart Patterson Project Experience
Stuart Patterson Project ExperienceStuart Patterson
 
公立中高一貫受検ガイド
公立中高一貫受検ガイド公立中高一貫受検ガイド
公立中高一貫受検ガイドtokkatoyosu
 
Tolimosios rytų šalys (kinija)
Tolimosios rytų šalys (kinija)Tolimosios rytų šalys (kinija)
Tolimosios rytų šalys (kinija)Dominykas Rukas
 

Destacado (13)

Recurso
RecursoRecurso
Recurso
 
Best Motivational Quotes
Best Motivational QuotesBest Motivational Quotes
Best Motivational Quotes
 
入塾しおり
入塾しおり入塾しおり
入塾しおり
 
Stuart Patterson Project Experience
Stuart Patterson Project ExperienceStuart Patterson Project Experience
Stuart Patterson Project Experience
 
Vistos
VistosVistos
Vistos
 
What Is IVR ?
What Is IVR ?What Is IVR ?
What Is IVR ?
 
Voiceblast manual
Voiceblast manualVoiceblast manual
Voiceblast manual
 
Asterisk Introduction
Asterisk IntroductionAsterisk Introduction
Asterisk Introduction
 
Voip
VoipVoip
Voip
 
公立中高一貫受検ガイド
公立中高一貫受検ガイド公立中高一貫受検ガイド
公立中高一貫受検ガイド
 
Tolimosios rytų šalys (kinija)
Tolimosios rytų šalys (kinija)Tolimosios rytų šalys (kinija)
Tolimosios rytų šalys (kinija)
 
Asterisk quick start Guide
Asterisk quick start Guide Asterisk quick start Guide
Asterisk quick start Guide
 
IVR presentation
IVR presentationIVR presentation
IVR presentation
 

Similar a Asterisksecuritykingasterisk 130723131448-phpapp01

Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasteriskKing Asterisk
 
Asterisk quick start Guide
Asterisk quick start GuideAsterisk quick start Guide
Asterisk quick start GuideKing Asterisk
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsOlle E Johansson
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdwebuploader
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Asibul Ahsan(063473056)
Asibul Ahsan(063473056)Asibul Ahsan(063473056)
Asibul Ahsan(063473056)mashiur
 
My speech at AstriCon 2007
My speech at AstriCon 2007My speech at AstriCon 2007
My speech at AstriCon 2007stefanocarlini
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)NYversity
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy StepsTim Serong
 
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios ServerNagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios ServerNagios
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 

Similar a Asterisksecuritykingasterisk 130723131448-phpapp01 (20)

Asterisk security with kingasterisk
Asterisk security with kingasteriskAsterisk security with kingasterisk
Asterisk security with kingasterisk
 
Asterisk quick start Guide
Asterisk quick start GuideAsterisk quick start Guide
Asterisk quick start Guide
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installations
 
Server hardening
Server hardeningServer hardening
Server hardening
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with Kamailio
 
bh-us-02-murphey-freebsd
bh-us-02-murphey-freebsdbh-us-02-murphey-freebsd
bh-us-02-murphey-freebsd
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Asibul Ahsan(063473056)
Asibul Ahsan(063473056)Asibul Ahsan(063473056)
Asibul Ahsan(063473056)
 
My speech at AstriCon 2007
My speech at AstriCon 2007My speech at AstriCon 2007
My speech at AstriCon 2007
 
jonny-martin-asterisk.pdf
jonny-martin-asterisk.pdfjonny-martin-asterisk.pdf
jonny-martin-asterisk.pdf
 
Astricon 2007
Astricon 2007Astricon 2007
Astricon 2007
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Computer network (4)
Computer network (4)Computer network (4)
Computer network (4)
 
Ruby voip
Ruby voipRuby voip
Ruby voip
 
High Availability in 37 Easy Steps
High Availability in 37 Easy StepsHigh Availability in 37 Easy Steps
High Availability in 37 Easy Steps
 
Applied VoIP Security
Applied VoIP Security Applied VoIP Security
Applied VoIP Security
 
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios ServerNagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
Nagios Conference 2013 - Spenser Reinhardt - Securing Your Nagios Server
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 

Último

CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxAnupam32727
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxMichelleTuguinay1
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Association for Project Management
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxAneriPatwari
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesVijayaLaxmi84
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxAneriPatwari
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17Celine George
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDhatriParmar
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...DhatriParmar
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfPrerana Jadhav
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmStan Meyer
 

Último (20)

CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptxCLASSIFICATION OF ANTI - CANCER DRUGS.pptx
CLASSIFICATION OF ANTI - CANCER DRUGS.pptx
 
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptxDIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
DIFFERENT BASKETRY IN THE PHILIPPINES PPT.pptx
 
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
Team Lead Succeed – Helping you and your team achieve high-performance teamwo...
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
CHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptxCHEST Proprioceptive neuromuscular facilitation.pptx
CHEST Proprioceptive neuromuscular facilitation.pptx
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
Sulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their usesSulphonamides, mechanisms and their uses
Sulphonamides, mechanisms and their uses
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
ARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptxARTERIAL BLOOD GAS ANALYSIS........pptx
ARTERIAL BLOOD GAS ANALYSIS........pptx
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17How to Manage Buy 3 Get 1 Free in Odoo 17
How to Manage Buy 3 Get 1 Free in Odoo 17
 
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptxDecoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
Decoding the Tweet _ Practical Criticism in the Age of Hashtag.pptx
 
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
Blowin' in the Wind of Caste_ Bob Dylan's Song as a Catalyst for Social Justi...
 
Narcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdfNarcotic and Non Narcotic Analgesic..pdf
Narcotic and Non Narcotic Analgesic..pdf
 
Oppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and FilmOppenheimer Film Discussion for Philosophy and Film
Oppenheimer Film Discussion for Philosophy and Film
 

Asterisksecuritykingasterisk 130723131448-phpapp01

  • 1. Asterisk Stability & Security with kingasterisk Protect your investment www.kingasterisk.com Skype : kingasterisk
  • 2. Introduction  What if the server goes down ?  What if someone hacks into your 8 e1 asterisk server and makes calls to inmarsat ?  Inmarsat : 5 euro / min. In 24 hours, on 8 e1s  1728000 euro
  • 3. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk Security  Asterisk Monitoring
  • 4. Asterisk Performance Update  Updates since Astricon 2004: - Smaller memory footprint - Less file descriptors used - Memory leaks found / removed - Less RTP ports opened - Codec optimizations (especially Speex) - Hardware echo canceller - FastAGI - Realtime - Remote MOH - ds3000 / te411p - Channel walk optimization
  • 5.
  • 8. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  • 9. Asterisk Stability  Hardware reliability  Software stability
  • 10. Asterisk Stability – Hardware Reliability  What is the cost of having no PBX service for your company ?  What if you are an ISP and your customers can’t dial out ?
  • 11.
  • 12.
  • 13. Asterisk Stability – Hardware Reliability  What if you experience: - power outage ? - a broken HD ? - a broken Zaptel card ? - a broken server ? - no Internet connectivity ?
  • 14. Asterisk Stability – Hardware Reliability  Power outage:  Traditional phones are self powered. Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router,…  If you have a low power PBX, the phone system could run for hours on a small UPS.  Don’t use Ethernet over power for mission critical phone lines.
  • 15. Asterisk Stability – Hardware Reliability  A broken HD ?  Use raid > 0  SCSI has a bigger mean time to failure.  Flashdisks, realtime, netboot, live CD’s.
  • 16.
  • 17. Asterisk Stability – Hardware Reliability  A broken Zaptel card or a broken server ?  Make sure you have a replacement, (maybe even hot standby) with all the modules you need, jumpers already set,…
  • 18. Asterisk Stability – Hardware Reliability  No Internet connectivity ?  Spare router / modem / switch ?  Failover Internet connection ?  Failover to / from PSTN ?
  • 20. Asterisk Stability / Quality Updates Software related since Astricon ‘04  Real CVS-stable / CVS-head (Thanks Russell!)  Major cleanups / code audits.  New h323 channel coming (chan_ooh323)  Packet Loss Concealment  IAX2 / SIP jitter buffer (mantis 3854)  A lot of libpri, chan_sip, chan_h323 changes for    better compatibility / stability. DUNDi (easier load balancing with round robin DNS) OSP Kernel 2.6.11.x
  • 21. Changes in hardware reliability  New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, …).  New drivers with a lot of bug fixes and optimizations.  End of life for x100p and Tormenta cards.  Hardware echo cancellers -> lower CPU load -> more calls it can handle before asterisk turns unstable.
  • 22. * reliability / stability recommendations  Use decent but not exotic hardware  Put Zaptel on a different PCI-bus than Nics and      video cards. Read tutorials on interrupts, APIC and other common problems. Load test your setup Design a failover system Noload unused modules Use recent firmware Zaptel cards
  • 23. * reliability / stability recommendations  Use a stable Asterisk version.  Take a common OS -> Linux.  Test software upgrades in a test lab.  Stay away from experimental Asterisk modules -> h323, skinny.  Don’t patch production Asterisk servers.  Keep your old Asterisk binaries after an upgrade for easy restore of known working versions.
  • 24. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  • 25. Asterisk server monitoring  NAGIOS   http://karlsbakk.net/asterisk/  http://megaglobal.net/docs/asterisk/html/asteri  Argus: http://argus.tcp4me.com/  SNMP: http://www.faino.it/en/asterisk.html
  • 26. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  • 27. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  • 28. Asterisk Configuration Stupidity  Dial plan security  SIP.conf  IAX2.conf  Manager.conf  Billing problems
  • 29. Dial plan security  - Extension hopping  - CallerID based protections  - _.  - Demo context  - User access to the dial plan  - Be careful with the default context  - Limit simultaneous calls
  • 30. Extension hopping  User can reach ANY extension in the current context: [internal] exten => intro,1,Background(question); exten => 1,spanish,Goto(Spanish) exten => 2,english,Goto(English) exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
  • 31. CallerID based protection exten => _X.,1,GotoIf($[“$ {CALLERIDNUM}”=“32134”?3); exten => _X.,2,Hangup(); exten => _X.,3,Dial(${EXTEN});  When not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!
  • 32. Inappropriate use of _.  _. Would match EVERYTHING! (also fax, hang up, invalid, timeout,….) Example: exten => _.,1,Playback(blah); exten => _.,2,Hangup;  Causing a FAST LOOP. (changed in CVS-head)
  • 33. demo context  Not a real security risk  But… Someone might play with your system and use up your bandwidth, make prank calls to Digium, make Mark Spencer very unhappy and cause him to introduce you to a very big shotgun…
  • 34.
  • 35. User access to the dialplan  - AMP and other GUI’s might allow the ISP’s user to change a dial plan in his own context. E.g.: hosted PBX’s  - Goto / GotoIf / dial(Local/…) -> context hopping.  - System -> could do anything
  • 36. Default context  Example: [default] Include outgoing; Include internal; OH OH OH, guest calls will go to the default context!!!!!
  • 37. Context usage:  A call has two legs, the used context is the context defined for that user/channel in the config file for that protocol. E.g: - Zap to sip call: context set in zapata.conf is used - SIP to IAX2 call: context in sip.conf is used
  • 38. Context usage:  In sip.conf, zapata.conf, iax2.conf… A default context is defined, if there is no specific context setting for this channel or user, than the default context is used!
  • 39. Limit simultaneous calls  Sometimes you don’t want a user to make multiple simultaneous calls.  E.g.: prepay / calling cards Solution: setgroup, checkgroup (don’t trust incominglimit.) exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1) Only good if the CallerID cannot be spoofed !!!! Consider using accountcode for this.
  • 40. Sip.conf               Default context Bindport, bindhost, bindip [username] vs username= Permit, deny, mask Insecure=yes, very, no User vs peer vs friend Allowguest Autocreatepeer Pedantic Ospauth Realm Md5secret User authentication logic Username= vs [username]
  • 41. Bindport, bindhost,bindip  If you only use sip for internal calls, don’t put bindip=0.0.0.0 but limit it to the internal IP.  Changing the bindport to a non 5060 port might save you from portscan sweeps for this port.
  • 42. Permit, deny, mask  Disallow everything, then allow per user the allowed hosts or ranges. (Multiple are allowed.)
  • 43. SIP.conf – insecure option Insecure = …  No: the default, always ask for authentication  Yes: To match a peer based by IP address only    and not peer. Insecure=very ; allows registered hosts to call without re-authenticating, by ip address Insecure=port; we don’t care if the portnumber is different than when they registered Insecure=invite; every invite is accepted.
  • 44. User vs Peer vs Friend in SIP  USER: never registers only makes calls  PEER: can register + can make calls. [user1] type=user [user1] type=peer Is allowed and the same as type=friend if the other parameters are identical!!!
  • 45. Allowguest =…  True: unauthenticated users will arrive in the default context as defined in sip.conf  False: unauthenticated users will get a permission denied error message.  OSP: to allow guest access for voip traffic coming from an OSP server.
  • 46. autocreatepeer  The autocreatepeer option allows, if set to Yes, any SIP UA to register with your Asterisk PBX as a peer. This peer's settings will be based on global options. The peer's name will be based on the user part of the Contact: header field's URL.  This is of course a very high security risk if you haven't got control of access to your server. © Olle
  • 47. Pedantic  Defaults to pedantic=no  If enabled, this might allow a denial of service by sending a lot of invites, causing a lot of (slow) DNS lookups.
  • 48. Realm  Realm=Asterisk; Realm for digest authentication ; Defaults to “Asterisk" ; Realms MUST be globally unique according to RFC 3261 ; Set this to your host name or domain name
  • 49. How is authentication done?  chan_sip.c: /* Whoever came up with the authentication section of SIP can suck my %*!#$ for not putting an example in the spec of just what it is you're doing a hash on. */
  • 50. How is authentication done?  Look at FROM header in SIP message for the username: -> browse sip.conf for a type=user with that username If found -> check the md5 If not found, -> browse sip.conf for a type=peer with that username -> browse sip.conf for an (registered) IP where the request is coming from if insecure=very, no more checks are done if insecure=port, if they are willing to authenticate, even if they are calling from a different port than they registered with. (used for NAT not using the same port number every time). otherwise, check the md5 + allow/deny.   If no peer found ? do we allow guest access (allowguest=true ?) Yes? OK, allow send it to the default context, if not reject.
  • 51. Secret vs md5secret  With SIP all passwords are md5 encrypted when sending the packets, but are stored in plaintext in sip.conf  [user]  Secret=blabla
  • 52. Secret vs md5secret  echo - n "<user>:<realm>:<secret>" | md5sum  E.g.: echo -n "user:asterisk:blabla" | md5sum e1b588233e4bc8645cc0da24d8cb848d [user] md5secret=e1b588233e4bc8645cc0da24d8cb848d
  • 53. Username= vs [username]  [username] is for authentication a client connecting to asterisk. Username=… is to have your asterisk server authenticate to another SIP server.
  • 54. Iax.conf  auth=plaintext,md5,rsa  User authentication logic  Default context  [username] vs username=  Permit, deny, mask  Bindport, bindhost, bindip  User vs peer vs friend
  • 55. iax.conf - auth  Plaintext: passes are sent in plaintext  Md5: encrypt the password with md5  RSA: use public key / private key – uses AES.
  • 56. User vs Peer vs friend  USER: can only accept calls  PEER: can only make calls  FRIEND: can do both [user1] type=user [user1] type=peer Is allowed!!!
  • 57. How is authentication done?  In iax2: (cvs-head!!) Pseudocode: Is username supplied ? -> yes -> matched against iax.conf users starting bottom to top. user found ? -> yes : is IP in allowed / disallowed list ? yes –> does password match ? yes -> does requested context match a context=… line? -> no -> is a password given ? -> yes : Asterisk will look bottom to top for a user with this password, -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted. -> no: Asterisk will look bottom to top for a user without password. -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted.
  • 58.
  • 59.  Add a last entry in iax.conf with no password to force nosecret access into a specific context.  If you use realtime, don’t have any user without a password and without permit/deny.
  • 60. Manager.conf [general] enabled = yes port = 5038 bindaddr = 0.0.0.0 [zoa] secret = blabla deny=0.0.0.0/0.0.0. permit=221.17.246.77/255.255.255.0 permit=127.0.0.1/255.255.255.0 read = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,user
  • 61. Manager.conf  No encryption is used, even the password is sent in plaintext.  Don’t enable it on a public IP.  Use http://www.stunnel.org/  Watch out with management programs with direct interface to the manager.  Limit the privileges per user (especially the system!!!).
  • 62. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  • 63. Asterisk Hardening            Asterisk as non-root user Asterisk in CHROOT Asterisk in a JAIL Asterisk with limited read / write permissions ZAPTEL kernel modules Asterisk firewalling / shaping / NAT Tty9 Linux hardening Remote logging Tripwire Limit running system processes
  • 64. Asterisk as non root user adduser --system --home /var/lib/asterisk --no-create-home Asterisk chown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /dev/zap chown -r root:asterisk /etc/asterisk chmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /etc/asterisk chown asterisk /dev/tty9 su asterisk -c /usr/sbin/safe_asterisk or Asterisk -U asterisk -G asterisk
  • 65. Asterisk with limited read / write permissions  Asterisk has no write permissions for its config files and is running as non root ?  In the unlikely event of someone breaking in through Asterisk, your dial plan is still vulnerable through the CLI or the manager.
  • 66. Asterisk in chroot  Changes the root directory visible to asterisk to e.g. /foo/bar  Pretty useless if asterisk is running as root and perl or gcc is available.
  • 67. Asterisk in a jail  Changes the root   directory visible to Asterisk. Limits the commands / programs any user in this jail can execute to a list you specify. Expansion of chroot.
  • 68. Zaptel kernel modules  Zaptel is module only, cannot be put into the kernel.  Hackers like to hide in a module, they can backdoor a module, compile it, load it in memory and remove all traces on the disk.  You could have the kernel check an md5 for the  Zaptel modules. I think Matt Frederickson compiled them in the kernel before.
  • 69. Firewalling / shaping / NAT  Block everything except the ports you really want. (5060, 4569, …)  RTP ports are a big pita (see rtp.conf) Sidenote: you might want to check your ISP is not blocking anything in the range defined in RTP.conf
  • 70. Limit access to tty9  safe_asterisk opens a console on tty9. This does not require a password and will provide a root shell to anyone passing by. (by using !command on the CLI).  Remove the offending line, or don’t use safe_asterisk
  • 71. Linux Hardening  GRsec (2.6.x)  Openwall (2.4.x)  Remove all unneeded things.
  • 72. Remote logging  Remote syslog  Put Asterisk log files (and other log files on a remote server).
  • 73. Tripwire  Make hashes of all the important files on the server and check them for changes you didn’t do.
  • 74. Limit server processes  An Asterisk server should be only: - OS + ASTERISK. No database No APACHE No PHP (If you really need those, and don’t have enough servers, don’t put them on a public IP and firewall them!!!!)
  • 75. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  • 76. Asterisk privacy  Encryption  Monitoring  CallerID spoofing  CallingPRES
  • 77. Call Encryption - SIP  SRTP -> method to encrypt voice packets.  TLS -> method to encrypt signaling packets. Both are not yet supported by asterisk. Bounty on voip-info.org.
  • 78. Call Encryption – IAX2  30/12/2004 2:07 Modified Files: chan_iax2.c iax2-parser.c iax2-parser.h iax2.h Log Message: Minor IAX2 fixes, add incomplete-but-verybasically-functional IAX2 encryption. It would support any type of encryption you like. -> Doesn’t work yet.
  • 79. Call Encryption – General solution  Send you packets through a VPN or tunnel.  Use only UDP tunnels to avoid delays. Known to work: IPSEC, VTUN, OPENVPN.
  • 80. Call Encryption – Tunnel solution Advantage, CPU expensive encryption can happen on dedicated machine.  Disadvantage: doesn’t work on hardphones or ATA’s without adding an extra server in front of them.
  • 81. Monitoring  ZapBarge  ChanSpy  Monitor Thank you Very Much......!!! For More Information www.kingasterisk.com