Security . . . for all you guys /girls who would like to share your security concerns

basically you need a rock solid security policy in place

Just Do it, don’t be complacent.

Please don’t bring any prior attitudes here ob** and mu**, we heard you already.

Just your honest intention to discuss and learn, share your experiences and post your suggestions. . . .

who knows we might all benefit!!

Step 1

Even before the software (Asterisk/freepbx/et al.) and before the firewall we need a basic IDS, I suggest . . .

installing rkhunter an effective but lightweight file system monitor

(use your distro’s normal method or do it from source)

iterate

rkhunter -c -sk

note the bad lines

grep -i warning /var/log/rkhunter.log

for a clue as to errors

less /var/log/rkhunter.log

for what might need fixing

[nano|vi|mcedit] /etc/rkhunter.conf

to fix problems

/iterate

until you get to “pass” without a bitch ;}

please use tripwire, snort or whatever if you so prefer, but please choose one that you understand, when you pass that iterative process . . .

You should now have a basic system that will monitor and email you changes that are “of consequence” and probably bad

now you are ready to put on your big girl’s boots. . . .

You are ready for step 2 The firewall. . . .

Install a local firewall!!

Even if you think you have an effective one on your network, in England that is called using “belt and braces” what that means is you are less likely to get caught with your pants down.

CSF is easy to setup and can be managed by Webmin for the CLI challenged.

It will also do a basic audit of many common possible exploits in your system like unneeded processes running and inappropriate permissions in your file system, it will also very reasonably suggest that /tmp be a transient filesystem, there are so many exploits that will inject themselves into /tmp and thus survive a reboot on your standard insecure distro, take this one VERY seriously.

Proably the best advice it will give you is to disallow ssh password based logins, and rely only on secure ssl key permission access. ( do that anyway and guard that key with your life!! Belt and Braces says change the port ssh runs on also)

Again iterate through the audit and fixing it until you are happy . . .

DO NOT ALLOW ANY PORTS THROUGH by default, just hosts and networks that you know and trust to have access. obviously yourself, localhost and your local network if you trust them implicitly.

There are many other firewall scripts to choose from, but the concept is the same, they will almost always use iptables as the kernel hook.

All your local services will be exposed by

netstat -aunt

( a good checkpoint in itself, do you really need tcp:2000 running ?)

If you do that right , then check from outside your trusted space with nmap, ncat or something more rigorous, your call. the server should just be “NOT THERE” .

you are then ready for Step 3

You will have a very restricted machine, unfortunately you will need to open holes for software updates and even diagnostic tools like whois, this might be a pain but as you get used to the concept, you will only be opening up the minimal hosts/ports.

This concept is restrictive by nature, but if you have the patience it is very secure even mustardman or obelisk will not see you, it gets interesting as you slowly open up comcast/coxnet etc as needed to suit your remote phones, but generally you can restrict those to /16 networks at worse, you will be protected from Chinese Universities and Palestinian/eastern europe/Amazon cloud hackers (In my experience, the biggest pricks, and NO they are NOT STUPID)

Having opened up “holes” you probably need a logfile scanner,

I suggest fail2ban as it is easy to install and easy to customize. Google for the latest regexes for the asterisk you use, edit thoe filters to your liking,

Don’t be complacent here, regularly run

fail2ban-regex

against your log files and against new attacks that might show up, edit the filters to keep up to date.

These logfile scanners scan the logfiles from postfix/exim, apache/httpd, asterisk, ssh , actaully anything, the world is your oyster here, but they only do waht yoy tell them to do, Caveate emptor and be prepared to get your feet wet.

On another note, Webmin, ssh and other conveniences should not be running on standard ports. actually, apart from ssh, they should probably not be running at all until you need them.

Simple services like tftpd and ntpd are also prone to attack, again restrict access to them.

The process goes on, but after these few steps you might be ready to install asterisk and FreePBX.

(many distros do most of these steps for you, many don’t, plase be aware of what you are installing from an iso)

dicko

I suggest that in FreePBX the only site that shoud be world readable is /recordings, the user portal.

a simple redirect in /DocumentRoot/index.html to that site (use https) and an .htaccess file to suit there and in /admin will maybe be sufficient, given an effective logscanner implentation to deny scanners on 80 and 443 you should remove any spurious index.* or default.* files in DocumentRoot also for shits and giggles.

Some suggest vpn only access but the user portal is really quite useful and necessary if your /etc/asterisk/voicemail.conf file refers to it in it’s emails, (try to vpn from a cell phone :wink: ) . There is also a problem if you need other websites, e.g. Aasra XML scripts to provision phones outside your network. (must say that that stuff is truly exquisite, and the phones are from the nortel stable so they work and feel excellent try them!!)

hmm . . . on that subject, it will behoove you to change in voicemail.conf

format = wav|gsm|wav49

as androids can’t play native gsm or wav49 ( go figure on the gsm thingy, it’s a bloody cell phone after all!! they do lick microsoft’s ass though as do iphones)

Be aware that in earlier versions of FreePBX, there is a glaring security hole in that particular site, please update yout FreePBX and change the default admin login !!!

get all the above right, install X Windows and firefox on the server, then the only possible way to get to the admin gui would be through :-

ssh -X [email protected] firefox

which will be accessing the localhost over a secure encrypted connection from any other machine equipped with a proper ssl key.

I belive that putty will allow such forwarded connections for any of you poor windoze self crippled also :slight_smile:

Is a pain, sip signalling defaults to udp:5060 and in microsoft_world/Asterisk10 tcp:5060 also.

If your VSP allows it, request a change to something other, be adventurous there are 64000 odd ports available (don’t request < 1024 though), 5061 or so will be nearly as vulnerable , it’s called human engineering, think outside the box, don’t think like a human. It will save you a whole shitload of problems downline, it will also unfortunately add problems for you as your users try and use ZOIPER or something on their computers/cellphones. I suggest you byte (sic) the big one here if you can and let them know where the : key is.