unsolicited at swiz.ca
Sat Jul 31 15:15:08 EDT 2010
John Van Ostrand wrote, On 07/31/2010 8:59 AM:
> ----- Original Message -----
>> All the Asterisk-based distros I've seen suffer from this
>> near-fatal flaw. It is astounding how poor their commitment to
>> system security is.
>> While starting with a bare Debian install and building your own
>> VoIP box would solve the security problem(s), I think you would
>> be better off using a porous distro and adding firewall software.
>> Then you can restrict access until you are satisfied. I use
>> Shorewall to give a (more) user-friendly interface to iptables.
>> Shorewall has great documentation - especially for typical cases.
>> Just open up UDP ports 5060-5080 for SIP and 10000-30000 for RTP
>> and you should have a functional, secure VoIP system.
> I agree with Lori. Starting with the distro and turning off or
> securing the things you want is a fast way to success. A firewall
> alone won't work for you if you want one or more of the web-based
> Run netstat -a to see which ports are listening and go from there.
> Then inspect your apache config and see what you have to secure or
> turn off.
> I find turning things off, checking configs and changing passwords
> is far easier than integrating all that software.
How un/reasonable is it to consider oneself 'sufficiently' 'safe' in
this (distro) situation? (Behind a firewall, and only the mentioned
ports opened and directed to the box.)
Assuming no internal hardware such as line cards, in the home (with 2
or 3 ATA devices, 1 POTS, perhaps 2 'extensions' which might be
multi-handset cordless phones), how un/reasonable is it to expect
'sufficiently' acceptable performance when running such distros within
a vm? I guess I'm assuming the hardware is dual-core, and 2 - 4 GB
memory. I'm not assuming it is the only vm, but I guess I'm assuming
sufficient resources exist to run each vm in a 'reasonable' manner.
Perhaps I'm asking the impossible here, given everyone will have their
own definitions for 'sufficiently', 'safe', and 'reasonable'. Perhaps
'reasonable' is not ecstatic, but also not particularly unhappy. (JJ
said to me a long, long, time ago "You pick it up, you get dial tone."
- you're happy, or, at least, satisfied, and not unhappy.)
I have a suspicion that I could run a mythbuntu (with kde), plus 2 or
3 vms (one of these distros, and egroupware, and courier e-mail either
with egroupware or in its own vm) and be 'sufficiently' satisfied.
When performance is insufficient, perhaps I'm streaming HD in and out
simultaneously, move egroupware/courier to a vm on another machine,
and keep going. Is this a fantasy world?
More information about the kwlug-disc_kwlug.org