mirror of
				https://github.com/asterisk/asterisk.git
				synced 2025-10-25 14:06:27 +00:00 
			
		
		
		
	https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r58931 | russell | 2007-03-15 17:25:12 -0500 (Thu, 15 Mar 2007) | 13 lines Merge changes from svn/asterisk/team/russell/LaTeX_docs. * Convert most of the doc directory into a single LaTeX formatted document so that we can generate a PDF, HTML, or other formats from this information. * Add a CLI command to dump the application documentation into LaTeX format which will only be include if the configure script is run with --enable-dev-mode. * The PDF turned out to be close to 1 MB, so it is not included. However, you can simply run "make asterisk.pdf" to generate it yourself. We may include it in release tarballs or have automatically generated ones on the web site, but that has yet to be decided. ........ git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@58932 65c4cc65-6c06-0410-ace0-fbb531ad65f3
		
			
				
	
	
		
			77 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			TeX
		
	
	
	
	
	
			
		
		
	
	
			77 lines
		
	
	
		
			2.8 KiB
		
	
	
	
		
			TeX
		
	
	
	
	
	
| \subsection{Introduction}
 | |
| 
 | |
| PLEASE READ THE FOLLOWING IMPORTANT SECURITY RELATED INFORMATION.  
 | |
| IMPROPER CONFIGURATION OF ASTERISK COULD ALLOW UNAUTHORIZED USE OF YOUR
 | |
| FACILITIES, POTENTIALLY INCURRING SUBSTANTIAL CHARGES.
 | |
| 
 | |
| Asterisk security involves both network security (encryption, authentication)
 | |
| as well as dialplan security (authorization - who can access services in 
 | |
| your pbx). If you are setting up Asterisk in production use, please make
 | |
| sure you understand the issues involved.
 | |
| 
 | |
| \subsection{Network Security}
 | |
| 
 | |
| If you install Asterisk and use the "make samples" command to install
 | |
| a demonstration configuration, Asterisk will open a few ports for accepting
 | |
| VoIP calls. Check the channel configuration files for the ports and IP addresses.
 | |
| 
 | |
| If you enable the manager interface in manager.conf, please make sure that
 | |
| you access manager in a safe environment or protect it with SSH or other
 | |
| VPN solutions.
 | |
| 
 | |
| For all TCP/IP connections in Asterisk, you can set ACL lists that
 | |
| will permit or deny network access to Asterisk services. Please check
 | |
| the "permit" and "deny" configuration options in manager.conf and
 | |
| the VoIP channel configurations - i.e. sip.conf and iax.conf.
 | |
| 
 | |
| The IAX2 protocol supports strong RSA key authentication as well as
 | |
| AES encryption of voice and signalling. The SIP channel does not
 | |
| support encryption in this version of Asterisk.
 | |
| 
 | |
| \subsection{Dialplan Security}
 | |
| 
 | |
| First and foremost remember this:
 | |
| 
 | |
| USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY
 | |
| INCOMING CONNECTIONS.
 | |
| 
 | |
| You should consider that if any channel, incoming line, etc can enter an
 | |
| extension context that it has the capability of accessing any extension
 | |
| within that context. 
 | |
| 
 | |
| Therefore, you should NOT allow access to outgoing or toll services in
 | |
| contexts that are accessible (especially without a password) from incoming
 | |
| channels, be they IAX channels, FX or other trunks, or even untrusted
 | |
| stations within you network.  In particular, never ever put outgoing toll
 | |
| services in the "default" context.  To make things easier, you can include
 | |
| the "default" context within other private contexts by using:
 | |
| 
 | |
| \begin{verbatim}
 | |
| 	include => default
 | |
| \end{verbatim}
 | |
| 
 | |
| in the appropriate section.  A well designed PBX might look like this:
 | |
| 
 | |
| \begin{verbatim}
 | |
| [longdistance]
 | |
| exten => _91NXXNXXXXXX,1,Dial(Zap/g2/${EXTEN:1})
 | |
| include => local
 | |
| 
 | |
| [local]
 | |
| exten => _9NXXNXXX,1,Dial(Zap/g2/${EXTEN:1})
 | |
| include => default
 | |
| 
 | |
| [default]
 | |
| exten => 6123,Dial(Zap/1)
 | |
| \end{verbatim}
 | |
| 
 | |
| DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT.  There
 | |
| isn't really a security reason, it just will keep people from wanting to 
 | |
| play with your Asterisk setup remotely.
 | |
| 
 | |
| \subsection{Log Security}
 | |
| 
 | |
| Please note that the Asterisk log files, as well as information printed to the
 | |
| Asterisk CLI, may contain sensitive information such as passwords and call 
 | |
| history.  Keep this in mind when providing access to these resources.
 |