asterisk users - Jul 2006 - How do you harden an Asterisk install?

I remember reading a small write up somewhere.  I think it was on the
Asterisk Wiki.  I can't find it anymore.  It's probably a bit dated by
now
but some of it would still be relevant.

Can anyone recommend a good guide or even some of their own suggestions.  

For clarity, what I mean by hardening is to make an Asterisk Server or
network appliance or embedded server or whatever you want to call it, as
fail safe, stable, and reliable as possible.  Just like an expensive
traditional PBX.  This is for a small business application of 50 extensions
or less.  It can't be too crazy like redundant servers or anything like
that.  I am looking for ideas like RAID 1, redundant power supply, cron job
to reboot every night (yuck!), disable caching(?), Astlinux on embedded with
CF, yada yada!

Anyway to set up automatic failover to a second Network Card with same IP if
primary network card fails?  That is one point of failure I haven't found a
way around yet.  Failure of the managed switch is another one I get a bit
paranoid about.  Switches generally don't fail but I'd like to have some
sort of fail safe plan.

For the NIC setup you can bond 2 cards together for redundency.  Take
a look here for some more info on bonding.

http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/s1-networkscripts-interfaces.html#S2-NETWORKSCRIPTS-INTERFACES-CHAN

On 7/13/06, shadowym <shadowym@hotmail.com> wrote:
>
> I remember reading a small write up somewhere.  I think it was on the
> Asterisk Wiki.  I can't find it anymore.  It's probably a bit dated
by now
> but some of it would still be relevant.
>
> Can anyone recommend a good guide or even some of their own suggestions.
>
> For clarity, what I mean by hardening is to make an Asterisk Server or
> network appliance or embedded server or whatever you want to call it, as
> fail safe, stable, and reliable as possible.  Just like an expensive
> traditional PBX.  This is for a small business application of 50 extensions
> or less.  It can't be too crazy like redundant servers or anything like
> that.  I am looking for ideas like RAID 1, redundant power supply, cron job
> to reboot every night (yuck!), disable caching(?), Astlinux on embedded
with
> CF, yada yada!
>
> Anyway to set up automatic failover to a second Network Card with same IP
if
> primary network card fails?  That is one point of failure I haven't
found a
> way around yet.  Failure of the managed switch is another one I get a bit
> paranoid about.  Switches generally don't fail but I'd like to have
some
> sort of fail safe plan.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

-- 
Tom Vile
Baldwin Technology Solutions, Inc
Consulting - Web Design - VoIP Telephony
www.baldwintechsolutions.com
Phone: 518-631-2855 x205
Fax:     518-631-2856

shadowym wrote:
>  
> I remember reading a small write up somewhere.  I think it was on the
> Asterisk Wiki.  I can't find it anymore.  It's probably a bit dated
by now
> but some of it would still be relevant.
> 
> Can anyone recommend a good guide or even some of their own suggestions.  
> 
> For clarity, what I mean by hardening is to make an Asterisk Server or
> network appliance or embedded server or whatever you want to call it, as
> fail safe, stable, and reliable as possible.  Just like an expensive
> traditional PBX.  This is for a small business application of 50 extensions
> or less.  It can't be too crazy like redundant servers or anything like
> that.  I am looking for ideas like RAID 1, redundant power supply, cron job
> to reboot every night (yuck!), disable caching(?), Astlinux on embedded
with
> CF, yada yada!
> 
> Anyway to set up automatic failover to a second Network Card with same IP
if
> primary network card fails?  That is one point of failure I haven't
found a
> way around yet.  Failure of the managed switch is another one I get a bit
> paranoid about.  Switches generally don't fail but I'd like to have
some
> sort of fail safe plan.
> _______________________________________________
> --Bandwidth and Colocation provided by Easynews.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

You are talking about 2 things:
(1) How to harden a linux box
(2) How to do failover.

for (1), be sure telnet, ftp and any other service you do not need is
off.  Move standard services to non-standard ports, especially web and
ssh.  Do not run a name server on the box.

For (2): You need to have a secondary box that runs a mirror copy of
Asterisk and mysql and pretty much has everything else configured the
same.  mysql should be replicated to the second box.  You then run a
program on the second box that pings the first box.  If the first box
fails the second takes over the first box's IP and runs with it.  There
are heartbeat programs that can help out with this.

W

In article <20060714081213.GK12623@xorcom.com>, tzafrir.cohen@xorcom.com
says...
> Even more important: base yourself on a distribution that fixes the
> security problems for you. You will never have the resources to track,
> test and apply all of those fixes, unless you're a full-time-job
> security consultant.
What Linux distribution do you recommend?
What is your opinion on Debian stable?



--
Tomislav Par?ina
Lama Computers Split
Stinice 12, 21000 Split
Tel.: +385(21)495148
Mob.: +385(91)1212148
SIP: tomo@pbx.lama.hr
e-mail: tparcina#lama.hr
http://www.lama.hr

shadowym a ?crit :
> 
>I remember reading a small write up somewhere.  I think it was on the
>Asterisk Wiki.  I can't find it anymore.  It's probably a bit dated
by now
>but some of it would still be relevant.
>
>Can anyone recommend a good guide or even some of their own suggestions.  
>  
>
Maybe use a solid-state fanless computer, with no moving parts? It means 
a low power consumption CPU (probably Via), a good thermal design, and a 
solid state disk (flash disk or CF + Adapter).

Cheers,
Jean-Michel.