Hello, when I run asterisk with this command “asterisk -U asterisk -G asterisk” it works when I register on UDP but when I try to register on TLS it does not work (Service Unavalaible error). When I run asterisk with root user, everything works fine. Can anyone help? No log are shown in asterisk CLI or sngrep. I am using Asterisk 16.30
I am using chan_sip not pjsip.
Then register as root user
Using root to run asterisk is not recommended for security
If you are worried about security, don’t run a minor version that has known vulnerabilities, or a major version that will cease to have security fixes in less than three months from now.
Also don’t run a channel driver that is, effectively, unsupported.
Are you starting Asterisk as root and using U and G to drop privileges? If so, that could cause problems.
Are the logs showing a failure?
Does either the user or group have appropriate read and/or execute permissions on the relevant files and directories?
I’m not sure how many attacks actually rely on being able to do things as root, given that one would typically dedicate a machine (possibly virtual) to Asterisk; most attacks are toll fraud ones. Have you made sure that the Asterisk .conf files are NOT owned by asterisk, nor are the directories containing them, which is what you/d likely need to do to secure it against persistence in an code injection attack (e.g. buffer overrun).
I think most suggestions of running non-root are based on a shallow, minimum privilege mantra, without actually fully considering attack methods.
Hi, thank you for your answer. What do you mean by “Have you made sure that the Asterisk .conf files are NOT owned by asterisk, nor are the directories containing them, which is what you/d likely need to do to secure it against persistence in an code injection attack (e.g. buffer overrun).”
Could please explain more?
the security is that asterisk only dont have write access to the files/directory
so if breached they cant change any config files, to make the hole bigger
like the security consept behind K8S, where the container only have 1 application installed
no editor, compiler, packet manager, or other aplications
you got in but the house is empty
added missind dont
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.