New blog post: Some security tips and tricks

dicko · September 21, 2020, 6:28pm

As would I but prioritizing rules in iptables is kinda needed

manipulating iptables is privileged
The distro contrives such privilege with closed source code
Third parties would need to be able to preempt such privilege
fail2ban jails and rules are far more capable than the ‘distro’s’ take
Sangoma would need to sanction such actions for a thirdparty
do all that and I’m in

jerrm · September 21, 2020, 8:24pm

If really wanting to improve security, I’d like to see the structural changes needed to remove god-hood from the asterisk user.

As it is, under the distro, if the asterisk user is compromised, the attacker can do anything sysadmin allows including disabling the firewall or opening up any desired port.

I’d feel much safer if there were a true system level admin user/group with most tables/settings/fwconsole/sysadmin actions only available to that admin user.

I don’t see much point in tweaking around the fringes of the existing structure as long as every byte of code and every possible setting is writable by the (most likely to be compromised) asterisk user.

dicko · September 21, 2020, 8:31pm

+1 @jerrm and who really knows what privileges sysadmin has elevated and for whom and for why ?

(it’s impossible to independently audit closed source code, you are just left with a big “trust me, I know what I am doing”, which is for me ‘not a good thing’)

mattf · September 28, 2020, 8:31pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.