Security hole after enabling Administrators module

This is a copy/paste from another area where I asked the same question with no reply. Hopefully someone can shed light on this potentially ginormous issue.

After you edit trixbox.conf and comment out the top, the Administrators module works, but it leaves the whole /var/www/html/admin/* file structure wide open. In other words, whereas the substructure is normally unable to be accessed from the internet, upon editing the file, you can type in x.x.x.x/admin/whateveryouwant and see and browse the entire structure. The potential security issues are pretty obvious…

How can I protect my server from unsavory critters, while still utilizing the admin module? Should I add another user in the /usr/local/apache/passwd/wwwpasswd
file, or somehow point that file to the FreePBX user database?

Please help! Thanks ahead of time.

billsimon:

Now that’s what I’m talking about…finally someone with some actual input! For a while there, it seemed like we were in the Twilight Zone.

Thanks for the good ideas – and no, that wasn’t an insult on my previous post… a jab, but definitely not an insult!

Have a good one buddy.

Mikael: Please see the following links for the answers to your questions.

http://www.installationwiki.org/Installing_FreePBX#Setting_up_file_permissions

http://www.freepbx.org/support/documentation/module-documentation/administrators#comment-33313f

I think you’ve illuminated this entire post by perfectly illustrating my point – Thank you.

Forgive the brevity - I just wrote an extremely detailed post, and in a moment of (un)clarity, cleared my history / cache / etc to test my theory below. Yeah, well you know what happened from there…

anyways

after you follow the instructions located at: http://www.freepbx.org/support/documentation/module-documentation/administrators

scroll down to the bottom of /etc/httpd/conf/httpd.conf

find the line that says: Include /etc/trixbox/httpdconf/*
comment it.

reload httpd and amportal.

test the security. appears to be fixed.

for a finishing touch, you could even rename the maint folder.

I think even billsimon “the idea man” could wrap his head around this.

If anyone has any positive input that maybe includes some addition or modification to this potential solution, please comment.

Not sure if that was a compliment or insult, but I’ll take it as a compliment.

So you are basically removing trixbox modifications to the httpd config. That makes sense.

Some additions or modifications…

Turning on SSL would be a good idea. “yum install mod_ssl” and then “service httpd restart” will allow you to get to your same site over https. It uses a dummy certificate that you can keep using or get a valid one from a certificate authority. If you are concerned about security, do this and at least use the dummy cert.

Then get some more understanding on modifying the apache configs and turn off port 80 so that people can access it by https only. One quick way to do this would be to remove the Listen 80 line from httpd.conf.

You were concerned about people being able to browse directories. The way to fix that is to find the line in your httpd.conf within the container < Directory /var/www/html > that says Options Indexes… (and some other stuff). Remove the word Indexes and reload. You can test before and after by going to http://yourserver/admin/images/ for example. With Indexes in place it will give you a list of all the image files. After you make the change, it will give you a 403 Forbidden.

That’s all I’ve got.

You’re right. What I should have said it is “this seems to have fixed it, pending further examination”.

I will test further and let you know what I find.
Thanks for the input.

You may not have realized this, but I am far from an expert in http access security

I am just wondering, the whole thread was started by you stating:

By editing and commenting out a config file for trixbox you open up a security hole in the system then want us to try to “fix” it?

I am sorry, but I continue to ask myself, “Why did he edit the file and commented something out?”

So I have to ask you: Why did you edit the file?

Take care,
Mikael

Unless I’m having a mental lapse, the only Authorization related thing in FreePBX that I am aware of is what I mentioned in my comment above,

If it’s something system wide (other than standard apache httpasswd) or specific to trixbox, I’m not familiar with it. Either way, I would suggest you put your solution in this thread. One of the ideas behind forums is not just a community self help board, but one that is retained for others to find in the future when they are running into similar problems (the magic of google web searches) and it’s nice if they find the solution to what they were looking for vs. having to pm someone who may no longer be around…

in either case, glad you solved the problems and I’m interested to see what that solution is.

sed -i “s/AllowOverride None/AllowOverride All/” /etc/httpd/conf/httpd.conf

That fixed it.

Looks to me like you found some tip on the web, blindly applied it to your whole web server config, and declared the problem solved.

So… are you sure? What exactly did you do by changing that line/those lines in httpd.conf? Do you know? How many lines were changed?

By using sed in that fashion you don’t even know the contexts in which you’re making the change.

Now that you’re secured, please post the URL of your FreePBX for the community to verify.

PS: I don’t recommend anyone else follow your one-liner “fix.”

hmm…

my apache knowledge is perennially rusty but doesn’t that just tell apache, for the specific config, that it will honor (or not honor) .htaccess settings for a give web directory?

Also, you are aware that doing a sed statement like that will affect every httpd configuration that has that setting. For someone worried about security, you seem a bit quick to make ‘blind’ changes to your system without understanding the consequences. You may want to make sure you know what else changed…

In any event, that change is not at all related to FreePBX, we don’t setup any restrictions through .htacess files though it sounds like maybe there are some already present somewhere on your trixbox system that turning enabling .htaccess has allowed to function (but then again, make sure it didn’t go beyond that…).

In any event, definitely not something that anyone unfamiliar with the structure of the apache configuration and other things on trixbox would have any idea about.

As far as allowing FreePBX to do the security, you just need to change the AUTHTYPE and then disable all authentication for the FreePBX apache settings and FreePBX will deal with authentication for you.

I had a sort of revelation this morning, and after a little discussion with one of my co-workers, I did a little poking around.

Well, sure as $#it, I found a little piece of code that fixed the whole issue. A one-liner.

Now, I’m left pretty perturbed…I mean, if I can figure this out, it’s really hard for me to believe that you guys didn’t already know what to do.

I understand that you guys don’t like trixbox. They’ve profited on a system that you created, hacked it up, and probably didn’t offer you any appreciation.

I GET THAT.

But, your tb using customers didn’t do that. We found a easy to install platform that’s reasonably reliable. Yeah, maybe we didn’t do our homework and pick the best (read: preferred) software. So, it really sucks that (if I’m right, and I hope I’m not) it seems as if I was basically shunned by the FreePBX elite because of a vendetta with a 3rd party. Treating your customers like that would just not be cool.

We trust you, and need you. We support you whenever and however we can. We interact and contribute to the community that you’ve created. But we still count on honest support from a company who basically invented an awesome, easy to use, exciting software – YOU!

If I’m wrong, and maybe you just didn’t know the answer, then please forgive me…this is not out of disrespect – quite the opposite, really.

Best to you all – I look forward to working with FreePBX well into the future.

BF
(bestest)

P.S. if you want to know the code snippet, just pm me. (I got it from a FreePBX install guide)

Actually you can install FreePBX right on top of trixbox and it works fine. You have to tweak some seeings to fake the version numbers since trixbox uses a higher version number scheme. I have performemany the procedure many times on production systems without issue.

If you are not comfortable with config files and especially modifiying databases directly you could utilize the FreePBX support team.

All that being said it’s not going to fix the access issues.

I have no idea how other distributions handle it, however on any CentOS/Apache based system you can get as granular as you want with the permissions. You need to review how to use .htaccess files and poke around the directory structure of /var/www/html/et al

Philippe:

Thanks for your helpful input on the topic…It is evident that the developers of trixbox have taken some liberties with your software, which has obviously resulted in a level of animosity from the FreePBX side (and rightly so, might I add).

Honestly, I’m left a little frustrated with the situation. It seems as if there must be a relatively simple way to correct the permissions issue in Apache. I’ll leave the question open, and hopefully someone can ‘help a brother out’ one of these days.

In retrospect, I wish that we used something other than tb. Could you (or someone) shed some light on the technique to backup and restore to another machine. We had tried some time ago, and were only moderately successful – FreePBX was indicating database errors.

Anyways, thanks again for the input – what you said made a lot of sense. Plus it’s great to see the “godfather” still active…pretty cool.

BF

Trixbox is not FreePBX!

How to protect your server: Take a backup of it, reinstall with AsteriskNOW, PBX in a Flash or Elastix.

I acknowledge the fact that my understanding of freepbx is dwarfed by yours. I’m not in any position to debate either of you, nor do I want to. I’m sure that the forementioned products are excellent and I look forward to testing them - but I’ve already used TB for this deployment.

That said, I am reaching out for help here and don’t want to get off topic.

Hasn’t anyone else out there had this issue?

Mikael: on a side note, just a quick THANKS! for your work as a developer. Without people like you, this community could never exist. You are greatly appreciated!

It’s obvious you don’t like trixbox, and hey, it’s not my favorite either. However, all tastes aside, and with all respect, do you have a helpful response to the question?

I’d like point out that while AsteriskNOW, PBX in a Flash or Elastix are all great pieces of software, they are also “not FreePBX”.

In any case, I’m hoping to close the gap that didn’t exist prior to following instructions to enable the administrators module in trixbox – from FreePBX.org

Thanks again

Actually both Asterisk Now and PBX in a Flash install the latest, unadulterated FreePBX.

In addition to being painted green and not installing the backup module, the trixbox release is based on FreePBX 2.5 that is currently EOL.

bestest,

I think the point that is being made to you here is that trixbox has altered FreePBX in subtle ways and as a result, people don’t feel comfortable making suggestions that may not be relevant.

trixbox has got a long history of security holes and problems. Whether this is one of them or not, I don’t know. However, when FreePBX (in its un-altered form) is used and authorization is put into AUTHTYPE=database mode then the security issues you are eluding to should not exist on a properly installed system. The systems mentioned, to the best of my knowledge, are properly installed.

Fundamentally, if you do care about security, you may want to take the advise of some of the others and pick a platform that is not riddled with a history of issues. Otherwise, you are probably best off trying to figure out your issue on the trixbox forum where someone may be more aware of the issue you are having. (Though you are welcome to wait for a response here of course).