Página de Inicio Forums HAast (High Availability for Asterisk) Configuration & Optimization Withstanding penetration testing

Tagged: , , ,

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • Customer Inquiry
    Participant
    February 17, 2023 at 9:25 am
    Post count: 201
    #17190

    Our HAast cluster operates within a secure environment but must withstand penetration testing. Is there anything we need to do to ensure the cluster can withstand penetration testing (from a security and stability standpoint)

    Telium Support Group
    Moderator
    February 17, 2023 at 9:34 am
    Post count: 263
    #17191

    If your cluster needs to withstand penetration testing (or the equivalent of exposing the management ports to the internet), then there are a number of steps you must take to harden your cluster.

    1. Ensure you set complex id and passwords for the Asterisk management interface.
    2. Set the Asterisk management interface to listen to localhost only.
    3. Ensure you set complex credentials for HAast peerlink.
    4. Protect the HAast GUI (https) interface with the htpasswd utility
    5. Ensure you set complex credentials for rsync.
    6. Ensure you set complex credentials for database(s) in use.
    7. Limit database port access to localhost and the remote peer.
    8. Set iptables rules to further limit interface/port combinations of the above to the peer and any trusted management workstations.
    9. Set iptables connection rate rules to the max necessary for your cluster to operate.

    The HAast GUI and ReST interface can be disabled altogether if you do not need that functionality. Note that the GUI and ReST interfaces do not use ANY 3rd party libraries; it is all hand coded in PHP and tested for stability and security. However, it is possible to overload or find a weakness in Apache HTTPD; in which case disabling the GUI and ReST interface is recommended.

    If you do not need direct access to the HAast telnet interface, then you should set the HAast telnet interface to listen to the localhost address only. Once that change is made, you must SSH to the node first and then telnet to HAast in order to access the interface.

    HAast is designed to support even the most heavily loaded systems. However, HAast on it’s own is not designed to withstand loads/connection attempts beyond what can be found in a normal production environment. In other words, HAast is not meant to withstand the challenges of penetration testing or open internet access without first hardening the cluster. The above hardening recommendations do add additional load to the cluster nodes, so in general we do not recommend implementing the above unless you have a real need to harden your cluster.

  • Author
    Posts
Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.