What steps do you take to harden a new install? Here’s what I’ve done so far on my first system…
[list]
[] Run Asterisk and httpd as non-root users
[] Disable anonymous FTP access (for Polycom phone boot files)
[] Change default SQL password
[] Change default Asterisk Manager password
[*] Change default FreePBX password
[/list]
I’m probably neglecting a dozen aspects, so I appreciate any other recommendations, especially on best practices for firewalling a PBX for SIP/RTP.
Thanks,
Bobby
Best practice on setting up a firewall in general applies: lock down everything, only open up what you need. If possible, only open what you need to specific IP addresses (only allow SIP and RTP to known remote sites – this isn’t always possible, especially if you have roving users. You can do VoIP over a VPN, but that introduces overhead.)
Don’t allow root to connect directly via ssh, force a normal user first, then su to root or use sudo.
Don’t assume that the DMZ or internal network is “safe” – only open what you need to the inside as well.
Minimize exposure and services. If you’re not going to print, don’t have CUPS installed. Ditto for Samba, and any other network services you don’t need that might be installed or running. Don’t just stop them from running at boot – remove them from the system. Don’t neglect things that run through xinetd.
Actually, delete every piece of software you don’t explicitly need. This will minimize the possibility of having a vulnerability in an unused tool that allows privilege escalation.
Don’t have a build environment installed if you can avoid it. Build on a build system, then move the binaries over to the live system. Don’t make it easy for the bad guys.
Install an intrusion detection system (IDS) and an intrusion prevention system (IPS.)
Your general attitude should be that of a paranoid freak.
Great info. Thank you!
For those of you wondering how to disable root login via ssh: in /etc/ssh/sshd_config, change ‘#PermitRootLogin yes’ to ‘PermitRootLogin no’ (notice the uncomment).