Martijn van de Streek posted that he’s set up Asterisk on his server. Good job, and glad to hear it!
Unfortunately, if you care about security, it’s not as easy as “sudo apt-get install asterisk” — the package is in universe, not main, and therefore hasn’t been getting security updates. The package is at 1.4.10, Asterisk is up to 1.4.19, and the package hasn’t been patched for the myriad security problems in between. Take a look at the Asterisk security list and cringe.
While that may not be an issue for home, at work we own a C Class, which gets scanned night and day for holes by bad, bad people. So when I set this up for work, I had to super lock the server down, and I had to compile Asterisk from source, as the ubuntu package is too big a risk.
For both home and work, I’m using FreePBX, which makes Asterisk much easier to configure. At this point, I can configure Asterisk myself, I have a handle on most of the internals of Asterisk and FreePBX, and I’ve written a few macros and AGI scripts — but that doesn’t help my bosses if they want to add an extension when I’m away. Though there is a distro called TrixBox that includes Asterisk and FreePBX, I’ve never liked “vocational” distributions (or CentOS), so I always set mine up on Ubuntu Server.
After I move my work Asterisk server from “former employee’s tower pc under the rack” to “server in the rack”, I’ll log my steps and make an up-to-date how-to on how to set up Asterisk and FreePBX on Ubuntu Server (plus all my little tricks I’ve added). Over the summer, after I finish my degree, I plan on making a repo that has a) an always up-to-date version of Asterisk, b) a package for FreePBX, to make it easier to set this stuff up. Of course, I will also try to get both into Ubuntu as quickly as possible. After that, I’m considering making a Python-based program to manage Asterisk, as a replacement to FOP and iSymphony.
Once again, I’m glad to see one more asterisk user. Be sure to add Enum to your trunk, and register your number with e164.org!
JoeTerranova.net Print This Post
William Grant | 05-Apr-08 at 6:49 pm | Permalink
As leader of the universe security team, I have to agree with your warning about not simply using the packages in universe, although for Hardy it should be safe. We now have the infrastructure (and I believe the manpower, even) to keep Hardy universe secure for at least a couple of years after release.
foo | 06-Apr-08 at 2:54 am | Permalink
Use Debian instead? All the open CVEs are fixed in etch:
http://security-tracker.debian.net/tracker/source-package/asterisk
pirast | 06-Apr-08 at 6:30 am | Permalink
william, yeah, that’s what i do, also.. the time i switched to debian i was not happy with the security-coverage of asterisk in universe. and well, it works fine.
now i’m just waiting for callweaver to get stable and packaged, it looks very nice to me for a production system.
Martijn | 07-Apr-08 at 1:47 am | Permalink
The thing that scares me most is that you have to remove config files for asterisk to stop listening on unwanted ports.. this means that I’ll have to remove them on every upgrade (probably).
And re: ENUM, I’m waiting for 1.3.e164.arpa. to start offering registrations, which should be any day now