Asterisk Installation on OpenBSD

This guide refers to the port of Asterisk version 1.2.18,
tested on the OpenBSD OS version 4.1

Index

• Why
• Installation, patching and updating of OpenBSD
• OpenBSD building and installing
• Get Asterisk to start at boot
• First execution of Asterisk
• Reboot and verify
• Hardening the system by operating on the files flags
• Conclusion

Why

The OpenBSD home page prodly reports, in red:
“Only two remote holes in the default install, in more than 10 years!“

• From a security point of view, matter of fact, OpenBSD is the best choice for a box leaved alone, that is, without updates done from a system administrator or from a security manager
• The OpenBSD security auditing team, which has from six to twelve members, searches and fixes nonstop bugs who affect the whole system security.
  As explained here, this team is not able to audit the security of each single port, which are 4215, but they strain to maintain the overall quality at the highest degree.
  Indeed, the Asterisk version present in the ports collection of OpenBSD is the 1.2.18 (on the 12th June 2007) which is the last one released from the official mainstream.
  Additionally, the sample configuration files which comes with Asterisk has been stripped down to the least, to give less advantage to an attacker.
• Even if the auditing process of the Asterisk source code could not be compared to the one of the OpenBSD base system, it is possible to keep down the damage of a possible system violation, operating on the files flags, as we will see further in this guide

Installation, patching and updating of OpenBSD

Refer to this great guide for the OpenBSD installation.
This, wrote by the same author and hosted on the same site, for the OpenBSD patching.
And finally this, wrote by the same author and hosted on the same site, for the OpenBSD updating

OpenBSD building and installing

• Change the current working directory in that of the port of Asterisk, as the superuser root, with the command:
  cd /usr/ports/telephony/asterisk
• Build and install Asterisk by running:
  make install clean
  At the end of the installation, you will find the configuration sample files in the /etc/asterisk folder

Get Asterisk to start at boot

If you want the Asterisk daemon to start at boot, modify with your favourite text editor, at the middle of the /etc/rc.local file, adding:
if [ -x /usr/local/sbin/asterisk ]; then
echo -n ' asterisk'; /usr/local/sbin/asterisk
fi
having a result like this

First execution of Asterisk

As the superuser root, from whatever folder you are in, run:
asterisk -vvvc
Asterisk will load it’s modules and it’s configuration, you should then read:
Asterisk Ready.
*CLI>
this is the command line interface of Asterisk, to logout run the command:
stop now

Reboot and verify

Reboot the system with the command:
reboot
after the reboot process, you can verify that Asterisk is running with the command:
asterisk -r
and logout from the command line interface with the command:
exit

Hardening the system by operating on the files flags

As explained here, OpenBSD offers the ability, for example, to block a file in a way that it will permit only to add data in it (append mode) but it can’t be deleted nor changed, even by the superuser root.
It’s also possible to totally deny to modify, move and delete a file.
Here are some suggestions:

• To let a file to only have data to be added (append mode), in this case the log files of Asterisk, change with your favourite text editor the middle area of the file /etc/rc.securelevel, by adding:
  chflags sappnd /var/log/asterisk/cdr-csv/Master.csv
  chflags sappnd /var/log/asterisk/messages
  chflags sappnd /var/log/asterisk/event_log
  chflags sappnd /var/log/asterisk/queue_log
  In that way the traces of a potential abuse of Asterisk could not be deleted from it’s logs
• To block the changes to the main executable file of Asterisk, it’s configuration files, it’s voice prompts and it’s modules, change with your favourite text editor the middle area of the file /etc/rc.securelevel, by adding:
  chflags schg /usr/local/sbin/asterisk
  chflags -R schg /etc/asterisk
  chflags -R schg /usr/local/share/asterisk
  chflags -R schg /usr/local/lib/asterisk/modules
  In that way will not be possible to infect the Asterisk service with a backdoor or a spyware

Here an example of the /etc/rc.securelevel file

Conclusion

The convergence of telecommunication systems on IP networks, being it textual, voice of video, brings the creation, collaterally, of new attack and defence scenarios.
It’s important to evaluate the importance of your telecommunications in your own private and corporate activities, and choose solutions which best provide a compromise between the instant usability and the rigidness of the authentications policies.
VoIP in general, Asterisk in detail and OpenBSD in the specific, could easily equal the security grade of the traditional telephony systems.
Using OpenBSD could discourage an intruder, which discovering it as the operating system of your server would think:
“mmm … OpenBSD … today is not my lucky day …“

This guide is also available in Italian

---

Possibly related posts: (automatically generated)

• Asterisk 1.6 Compilation and Installation on Debian 5 (lenny)
• Installazione di Asterisk su OpenBSD
• Asterisk Installation on OpenWRT
• Quetzal: A Live OpenBSD System