[VoiceOps] DID's + Asterisk Security

J. Oquendo sil at infiltrated.net
Wed Aug 5 13:38:55 EDT 2009 

Peter Beckman wrote:
>  In a production environment, log files can get really big, making
> parsing,
>  grepping and copying costly, especially every 5 minutes.  There is a
> great
>  benefit to on-the-fly log parsing and action with a compiled tool that
>  uses minimal resources.
>
>  For most people, all the tools are functionally the same -- block hosts
>  that pass a certain threshold or set of rules.  But when you get into
>  production systems with a lot of customers and a lot of attacks, the
>  interpreted script (PHP, Python, bash/sh/tcsh) simply doesn't scale as
>  well as a compiled, native OS byte-code long-running daemon.
>
>  I don't want to get into another language flame war, we all use what
> works
>  for us during the time we need such things, and when it stops working
> for
>  us, we change.  There's 9 ways from Sunday to do the things we all
> have to
>  do as VoIP folk, none of them are wrong, every choice has tradeoffs.

Agreed (IO calls, grep, tail, etc), things to keep in mind though:

1) it was something new for me
2) I needed the portability - for example, if (for some strange reason)
I didn't have PERL on the fly, I would have had to install it. Shell
scripting absolved that. I thought about writing something in C, then in
ruby (last resort would have been PERL since I'm not that much of a fan).
3) My system is not yours! ... If someone else wanted something on the
fly, there it is(was). Able to give someone at least a framework to go on.

As for the large log files (drum roll - you will want to kick me)... I
can easily parse it out from a central syslog server, whip up a script
to correlate all logs, then reshoot them off to servers. The load would
be taken off the PBX itself with a centralized source parsing out
anomalous entries. SSHKeys + shell scripts + coffee = tons of insanity +
security fun/crash testing. I may go back and re-do portions when I can
however, I left the IPS alone to fiddle with those annoying brute force
kiddiots for now. Kind of like a personal pet project. Think "Deception
Toolkit meets + Asterisk"

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the VoiceOps mailing list