+1 for patching all vulnerabilities.
I would not alter the php rpm if I were Joe. There is a perfectly good reason why the php package is the way it is, and FreePBX is probably in the minority here (needing/wanting package contents to be altered), since it does run apache as a different user.
How about just do a “permissions check” at boot time and reboot after updating anything. Just a script that runs at boot time and owns the session directory.
add “asterisk” into the group “apache” (the directory /var/lib/php/session/ is group writable by group apache). I did this with “vigr”, but you can use whatever tool you want. reboot afterwards (or restart appropriate processes).
If the freepbx package maintainers added this in automatically, it might be a good thing (caveat: someone should do a check on what security holes this might open up)
Phone systems are not computers in the regular sense. You would not patch the copy machine or your clock radio would you.
To me it’s just creating busy work and unnecessary billing for the customer. This goes back to the circular argument that phone systems are not designed to be connected to the Internet. If you check the proprietary phone systems that are based on Open Source do not do security patches.
Skyking,
I know where you’re coming from when you say this, but I have to respectfully disagree. That is an old way of thinking in my opinion. Today, if it’s not connected not the Internet, it might as well not even exist.
The fact is that we want these phone systems connected to the Internet for one reason or another. And because of this, they need to be secure. In fact, even if they are not directly connected to the Internet they still need to be secure because they often reside on the same network as Internet connected machines – and that counts as exposure enough for me.
In a perfect world updates should not break things, but we all know it does happen. It even happens to all the big players like Microsoft who test things beforehand (or claim to, at least!).
That said, the issue in this thread is a minor one. It is simple to fix if you know what to do or stumble upon this thread. Eventually I do think it should be addressed at the development level and not at the end user level, but for now that is what the community is for.
This issue can be addressed at the development level. And it is.
The issue of patches is one that doesn’t just effect FreePBX. I have been in the phone business for over 30 years. I can tell you that the most popular telephone switch in the world, the Western Electric (Lucent) #5 Electronic Switching System (ESS) is running an ancient version of Bell Linux System V to control and provision the whole system.
I don’t doubt it, Sir. A lot can be said security-wise about a stripped down kernel. I’d expect that a commercial product running Linux is using just that. I’d also expect that if there is a known issue with it, it would be fixed.
You get no argument from me on any of that.
There is obviously a difference between the Lucent switch and FreePBX and that is where I support good security practices - including properly patching.
I don’t think there is a major difference other than attitude.
Where the 5 ESS is in a glass room, FreePBX is enabling small enterprises all over the world to offer feature rich telephone service. The only difference is the approachability. They are both in the same mission critical role.
Agreed, they are both in the same role. However the surface on a FreePBX install is much greater unless the kernel has been stripped down or otherwise customized.
I’m not complaining or trashing it by any means. I personally WANT it this way as it creates WAY more flexibility and is THE reason I am a FreePBX user.
FreePBX is installed on a full blown computer that can “potentially” run other software, has ALL Linux commands available to it, can install RPM files, connect to repo’s, create additional user accounts, etc. Therefore, there is an even GREATER importance to keep up on patches for a FreePBX PBX versus any other commercial PBX.
That is all I am getting at. I’m also not trying to create any FUD. I am just stressing the importance of keeping a network connected information system up to date on patches. This is a must. Period.
It is 2013. HP printers & cell phones are getting hacked & used to proxy attacks, etc. I disdain all the time spent on security updates just as much as the next guy (not to mention the associated hiccups). But choosing to not patch systems with known vulnerabilities is backward thinking. I know you should protect the perimeter, etc. to prevent exposure of the box in the first place. But still, breaches happen sometimes. You either take security seriously or you don’t.
As for the remark about billing a customer excessively for busy work, that seems like a crude stab-in-the-dark, and I’ll leave it at that. We actually have over 50% of our revenue coming in from fixed-fee monthly agreements and we are actively converting the rest of our client relationships to this same model. So now every extra minute we spend patching asterisk boxes costs me more money today, not my client. That doesn’t mean I’m going to stop doing it.
I do appreciate your opinion and input and value the contribution each member brings to these forums. If it wasn’t for generous people like you chiming in to give their recommendations, this project wouldn’t be the great thing that it is! 
Doug
You guys do realize that amportal chown will chown that file and anytime you start or restart asterisk with the proper amportal restart it will chown that file along with lots of other files and directories that FreePBX needs set to the apache user.
It’s an interesting discussion and the “busy work” comment wasn’t a shot in the dark.
I am from the carrier world, more than 20+ years. I worked directly with the team that was responsible for the OSS support infrastructure of the Verizon Wireless MTSO’s. Many systems are never patched and rely completely on access controls.
The new updating system in Sysadmin Pro is going to allow hosted providers such as ourselves to automate the updates. This will change our strategy a bit.
I do rely heavily on walled gardens and perimeter solutions. For our hosting we provide access to the FreePBX GUI and URI via a SSL VPN solution that requires no client and utilizes Single Sign On, it is transparent to the end user. Every hosting customer is in their own VLAN, independent gateway with an IDS.
Every strategy has compromises and risk/reward decisions. I am simply sharing what works for us.
I know that citing examples of poor practice is a lame argument however I feel compelled to point out that the three largest healthcare providers in the Cleveland market are running Cisco Call Manager that is significantly out of date. None are my customers!
They know Cisco Call Manager is out of date and they know what’s broken in this version and fixed in that version and likely are taking proper precautions (following Cisco recommended workarounds, using pricey IDS/IPS, access control as you point out is definitely a big part). They have to because as a health care provider they are bound by regulations such as HIPAA/HITECH Act.
Now, compare that to us folks running FreePBX which is a full blown server - we have to be on top of EVERY vulnerability in the kernel, operating system, web server, php, etc. A bit of a difference there. Try tracking all of this from the time you build a working system and don’t update anything for a year or two years. You now have to be on top of a nice long list of vulnerabilities and bugs and I can’t imagine staying organized with that nightmare.
Best advice is to patch your system. Sure, wait a little while to see what problems may or may not arise from the patch so you are prepared (not everyone has a lab!), but patching is a necessary evil today. That’s just one reason this community right here and your experience/advice/support is so valuable.
Access controls are great – just can’t be the only form of prevention. We need to be prepared for what happens when those controls are circumvented. Be proactive.
The saying has been for a long time now “it’s not if you get compromised, it’s when.”
Another way to look at it: if you were running Asterisk on a network connected Windows operating system, would you continue to apply Windows updates? Viruses are the worries of 20 years ago. Today we have Malware. Mac’s get malware and Linux can even get malware. If you don’t get malware through browsing or email, you get it through unpatched vulnerabilities.
Well our MBA is our CFO so he doesn’t weigh in on this much. I appreciate you articulating your opinion.
We are an ISP/ITSP/Nextgen Telco/Facilities based provider. We have used Sylantro, FreeSwitch and Asterisk to build our voice network now for going on 10 years. We have had a little toll fraud but never a root kit. We have been a Juniper partner for the same time, turned down the last ASA 5 years ago. We utilize the tripple sword of IDS, SA and SSG. The walled garden for the voice service us well. Also fraud detection (thanks Schmooze!) and tripwire alers us to odd activity and we can blow the VM away and start over. Before that we were using HP Blade servers (little AMD ones) and same thing with PXE boot we could reimage a system in about 30 min.
On our ISP side that is now over 20 years old (oldest ISP in Cleveland under consistent ownership) we run mostly FreeBSD. Those systems are patched. DNS is the bain of our Web Hosting tech’s existence. We have had a few of those rooted over the years. Always when a user has us open up CGI or some other ill conceived and tested script. Some day we will never have shared web hosting.
Our mail platform is no longer all open source so that is always up to date.
I don’t think our approach is reckless, I prefer to call it blended.
As far as the average FreePBX user. It is usually poor controls on behalf of the user. I think between the new complex secrets, Fail2ban, and the auto update of Sysadmin pro this project takes patch mgmt and security seriously. I still think if you have to expose the web that the reverse SSL proxy like we use is the best form of protection.
VPN’s are so inexpensive these days. Even the much maligned sonicwall has a mobile VPN client that works decent and seems to only give a small hit on battery life.
The Fortigate’s have built in SSL VPN’s. The cost of entry is plummeting.
Done ramblings. What part of the country do you reside? Would enjoy a cup of coffee to talk security and the project.
I don’t think your approach is reckless. It is layered and that’s a good thing. Looks like you are covered quite well and have the man power and other resources to handle things. I’m guessing your FreePBX implementation is in a much different environment than a good percentage of those frequent this community forum.
For example, I am in a small office of about 30 people and a single Asterisk server. I too have a layered approach to security, but it’s a bit different than yours as it is scaled to size/needs/budget.
I am in Milwaukee Wisconsin freezing my tail off right now. I don’t claim to be any kind of security expert but am always up for a good discussion.
It’s pretty cold here in Ohio too. One of the Schmooze data centers is in MIL. Next time I am in town I will drop you a PM.
Sounds good!
Actually its in Franklin, WI but close enough. Our corporate offices are in Neenah, WI