Noob question, but a good one. (It's actually Linux related!)

S. Dale Morrey sdalemorrey at gmail.com
Fri Apr 5 19:47:19 MDT 2013


Yeah that's not going to happen.  This is a public, customer facing
asterisk box for a use case that exists for the sole purpose of bypassing
the incumbent telco's exchange to provide discount calling.  I'm
essentially helping them to roll their own telco.

Here in Ecuador you can have a connection of either, WiMax, Microwave (at
least I'm told that's a microwave antenna on some of the houses), Cable,
DSL, Satellite, 3G and coming soon local fiber.  There are a plethora of
ISPs and options so internet access is dirt cheap.  This also means we
can't lock the boxen down to any specific IP address or range.  We also
can't place the box behind a NAT or a subnet.

This particular webinterface is for folks to pay their phone bill on.
Everyone needs to be able to connect to this box no matter where they're
from.  So we implemented TLS & ZRTP to secure the connection and then
fail2ban to blacklist IP's after n failed login attempts (currently n is 5,
but that could change).

Ideally I would have liked to have had a different design where there is an
asterisk box, a billing box, a webserver and a DB server all on seperate
boxes.
I was unable to make this configuration or anything like it work with
A2Billing despite 4 solid 18 hour days trying.

In fact it seems A2Billing insists on sitting on the asterisk box itself,
although I was able to push the DB onto it's own box and it seems happy
with that.
For that many hours I probably could have written my own stack, but part of
the point was to enable the locals to run it once I'm gone.

Nevertheless, I now have a webserver sitting on top of a SIP server.  As
far as I can tell I am stuck with this configuration, and I need to lock
this down as much as possible, while still providing relevant access to
admins, resellers and individual customers.

Thus the original question about who should be in who's group.  Thanks for
the help guys!


On Fri, Apr 5, 2013 at 8:17 PM, Steve Alligood <steve at betterlinux.com>wrote:

> Not a problem if you lock down apache to specific IPs :)
>
> In fact, there are enough sip vulnerabilities from time to time that I put
> the phones themselves on either a private network (or controlled public
> netowork) or give them dyndns set ups and have a script auto update the
> iptables rules to those DNA names.
>
> -Steve
>
> On Apr 5, 2013, at 7:02 PM, "S. Dale Morrey" <sdalemorrey at gmail.com>
> wrote:
>
> > You know, that's a very good question that I've never explored.  Can
> anyone
> > chime in on that for me?  Also is there a security problem with letting
> > Apache own the config files for Asterisk?
> >
> >
> > On Fri, Apr 5, 2013 at 7:29 PM, Jima <jima at beer.tclug.org> wrote:
> >
> >> On 2013-04-05 18:06, S. Dale Morrey wrote:
> >>> Hey Pluggers,
> >>>
> >>> I've got a quick best practices question for you.
> >>>
> >>> I have asterisk installed and running as the asterisk user and apache
> >>> installed and running as the apache user.
> >>>
> >>> I've got a new web interface that needs to execute some scripts to
> modify
> >>> asterisk dialplans, tell asterisk to reload itself, etc.
> >>>
> >>> Would it be best to add asterisk to the apache group, apache to the
> >>> asterisk group, both of the above or something else?
> >>
> >>  Is there a reason Asterisk needs to be able to write to the tree?  As
> >> long as it can read the configuration files, you don't really need to
> >> muck around with group ownership.  Personally, I'd just grant the apache
> >> user the ability to reload Asterisk via sudo, and let it own the
> configs.
> >>
> >>      Jima
> >>
> >>
> >>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list