Asterisk 保护密码

tag-icon tag-icon security asterisk
Asterisk 保护密码

我正在运行星号树莓派 3;因此,我想保护密码。有人可以移除 SD 卡,密码将以纯文本形式显示!我知道我可以加密整个操作系统,但如果我可以避免这样做就好了,因为我只需要保护一个文件。

3我想保护的密钥/密码类型。到目前为止,我已经成功保护了树中的 2 个密码。

无论如何,这是我以前sip.conf未受保护的:

[general]

  keepalive=30
  bindport=5060
  ... etc

  ; Allow tls !    
  tlsenable=yes
  tlsbindaddr=0.0.0.0
  tlscertfile=/keys/asterisk.pem     ; <---- 1st key unprotected
  tlscafile=/keys/ca.crt
  tlscipher=ALL
  tlsclientmethod=tlsv1


; Peers info ---------------------------------------------
[user1]
  secret=somePassword       ; < -------- 2nd key unprotected
  type=peer
  ... etc

[user2]
  ... etc..   ; more  unprotected keys
; ----------------------------------------------------------

; elastic sip trunks used to make outbound calls -----------
[Trunk-Provider-1] ; 
  type=peer
  host=someProvider.com
  secret=plainTextPassword    ; <------------ 3rd password unprotected
  username=foo      
; ---------------------------------------------------------

这是我的新sip.conf“保护”:

[general]

  keepalive=30
  bindport=5060
  ... etc

  ; Allow tls !       
  tlsenable=yes
  tlsbindaddr=0.0.0.0                      
  tlscertfile=/dev/shm/keys/asterisk.pem   ; <---- 1st key located on memory (/dev/shm/)
  tlscafile=/dev/shm/keys/ca.crt           ; same thing. File is on memory and NOT on disk. 
  tlscipher=ALL
  tlsclientmethod=tlsv1


; Peers info ---------------------------------------------
[user1]      
  md5secret=4a8e71480c5b1ef0a5d502a8eb98576  ; < -------- 2nd key hashed (protected)
  type=peer
  ... etc

[user2]
  ... etc..   ; more hashed keys
; ----------------------------------------------------------

; elastic sip trunks used to make outbound calls -----------
[Trunk-Provider-1] ; 
  type=peer
  host=omeProvider.com
  secret=password-Of-Provider  ; <------------ 3rd password I do not know how to protect this :/ ?
  username=foo
; ---------------------------------------------------------

所以我必须保护 3 种类型的密钥/密码。

  1. 证书密钥 用于加密通话的证书。我通过在计算机启动时下载并将其放在内存中来保护它(/dev/shm/)。如果计算机关闭,文件将丢失。

  2. IP 电话密码(对等) 这是手机(对等端)使用的密码。为了保护它们,我对它们进行了哈希处理。本文解释了如何做到这一点:https://www.voip-info.org/wiki/view/Asterisk+sip+md5secret

  3. 提供商密码(用于拨打外拨电话) 我不知道如何保护这些密码。我考虑过将 sip.conf 文件的位置移到内存中,但这并不容易。我相信这需要移动所有配置文件。

答案1

回答我自己的问题:

我通过创建符号链接移动了文件 /etc/asterisk/sip.conf。 https://stackoverflow.com/a/1951752/637142

# 1. Delete /etc/asterisk/sip.conf we do not want that file on disk. It contains passwords!
rm /etc/asterisk/sip.conf

# 2. create sip.conf on memory (/dev/shm/sip.conf)
touch /dev/shm/sip.conf
... add configuration and passwords... to that file

# 3. Trick asterisk by placing a symbolic link. 
# Point file /etc/asterisk/sip.conf ---> /dev/shm/sip.conf
ln -s /dev/shm/sip.conf /etc/asterisk/sip.conf

不,当我访问 /etc/asterisk/sip.conf 时,实际上我正在访问 /dev/shm/sip.conf!

相关内容