New blog post: Some security tips and tricks


#21

As would I but prioritizing rules in iptables is kinda needed

  • manipulating iptables is privileged
  • The distro contrives such privilege with closed source code
  • Third parties would need to be able to preempt such privilege
  • fail2ban jails and rules are far more capable than the ‘distro’s’ take
  • Sangoma would need to sanction such actions for a thirdparty
  • do all that and I’m in

#22

If really wanting to improve security, I’d like to see the structural changes needed to remove god-hood from the asterisk user.

As it is, under the distro, if the asterisk user is compromised, the attacker can do anything sysadmin allows including disabling the firewall or opening up any desired port.

I’d feel much safer if there were a true system level admin user/group with most tables/settings/fwconsole/sysadmin actions only available to that admin user.

I don’t see much point in tweaking around the fringes of the existing structure as long as every byte of code and every possible setting is writable by the (most likely to be compromised) asterisk user.


#23

+1 @jerrm and who really knows what privileges sysadmin has elevated and for whom and for why ? :wink:

(it’s impossible to independently audit closed source code, you are just left with a big “trust me, I know what I am doing”, which is for me ‘not a good thing’)


(Matthew Fredrickson) closed #24

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.