SUGGESTIONS Incredible PBX Security

[bobmats]

I have installed incredible pbx ubunutu 14 and everything works fine.

I only see the following problem.

When i go to myip/maint

I see:

parent directory

myipconfigedit
phpMyAdmin
sysinfo

I can than click phpmyadmin and this goes to: http://myip/maint/phpMyAdmin/
and I can see all setting there.
No need to login I can do this from any computer that uses an ip on the whitelist and has full access thru firewall.
To me this seem unwanted behavior ?

Maybe I installed everything wrong or how can this be fixed.
Now any user in the office can make changes without being logged in.

Also I am using traveling man port knocking and this works fine.
Normally when whitelisting ip's one can specify what services the ip can see, sip iax or also webmin and loging to pbx.

When using traveling man I get access to all services including web access.
This seems a problem if I look at being able to access myip/maint and see all setting without being logged in.
Would it be an option to created 2 port knocking setting.
1 that regular users can use to register their softphone thru sip/iax
another one that will give a admin access to everything from that ip

 

[wardmundy]

bobmats The WhiteList is tailorable using add-ip and add-fqdn. You don't have to give everyone full access to everything. For users that only need extension access, just give them SIP access and nothing more. You can provide multiple options by separating the entries with commas. Port knocking is designed as an interim tool to get people connected quickly. It goes away the minute you restart IPtables: iptables-restart.

 

[bobmats]

Situation I added office IP add-ip to give full access so I can also access freepbx myself
Anyone on that ip can than access the maint directory and see settings without loggin in.
This I think is unwanted

I assume that there are many users that have several people in the office on the same ip but don't want them to access the maint directory

Againg even for me without being logged in it should not be able to see the maint directory and see and use phpmyadmin. This should only be possible when I am logged in as admin.

The portknocker works fine as a fast access tool but will give full access also to the maint directory without being logged in. This is unwanted and a security problem.

For now I will add a htaccess file deny all in maint directory.

I hope you agree that it's unwanted to access the tools in the manit directory without even being logged into the admin panel. For me this is an unsafe setup and I hope this can be resolved.

 

[wardmundy]

I assume that there are many users that have several people in the office on the same ip but don't want them to access the maint directory...

The problem is you as an administrator wanting to share an IP address with many people in the office. There's no difficulty restricting the "many people" so that they can't access the maint utilities. One solution is for you as admin to use PortKnocker which will provide full access when you need it and leave the add-ip rule in place to just allow SIP access at other times. Then you can remove your PortKnocker access when you are finished by restarting IPtables. This does give full access to everybody but only at the limited times you're using PortKnocker. A better option would be a VPN for either you or the other folks and set up different IPtables rules for the two IP addresses.

AFAIK the admin problem cannot be resolved using IPtables where multiple end-users also share the same public IP address as the admin. IPtables is primarily an IP address-based firewall. But the VPN approach would solve that.

.htaccess files are another solution, or you can move/disable the utilities in the maint directory and set them up on a different Apache port. That's beyond the scope of what we intend to officially support, but there are plenty of options that you as an administrator can employ to work around the limitations of IPtables.

 

[bobmats]

Ward thank your for this explanation.

I still think that the utilities placed in maint are a security risk as they give access to critical files without any password. I have added a htaccess file to deny access to them for the moment.

As said there will be many users that will use an office ip for several users. they should be aware of this when setting up their system.
As you say the only option will be to limit access from any ip only to sip aix
Problem than is how can users from that ip access their control panel ? If I only give access to sip and not freepbx ?

Use portknocker to access everything.
In that case portknocker should only used by admin and no one else to access the admin area.

How can I easily restart the iptables on ubunuto, do I need to login as ssh or can a script be made for this ?

 

[wardmundy]

I still think that the utilities placed in maint are a security risk as they give access to critical files without any password.

Nobody gets access to maint unless you as administrator give them web access or full system access with IPtables. As I said, the problem is you as admin wanting to share a whitelisted IP address with end-users. I don't know what your specific setup is, but if you are the only remote user and the users at the remote site are on a LAN, then the simple solution is to adjust the LAN subnet entry in IPtables to only provide SIP access for the LAN users instead of a blank check.

If you want the remote users to have any type of web access to FreePBX features (a bad idea IMHO) then you need to separate out the maint admin apps as suggested above. These utilities need not be in the /var/www/html tree. In fact, they can all be deleted. A blank index.php file in the maint folder also would keep prying eyes from snooping. Then you could change the directory names to something only you know. In this scenario, security by obscurity works exactly like a password.

Lots of ways to tackle this including your htaccess solution. It only becomes a security problem because you as administrator want total access on an IP address shared with untrusted end-users. That puts the burden on you as administrator to keep the other folks out.

Administrators can make any system insecure. That doesn't mean the original design was/is insecure. Our design ASS-U-MEs web access is for administrators and trusted users in the IPtables WhiteList. That obviously doesn't work for everybody. We've documented that local subnet access is WhiteListed. If that doesn't meet your needs or if you don't trust end-users for whatever reason, then feel free to change it and protect your server in any way that makes you comfortable.

 

[bobmats]

My setup is running on a vps cloud server so no local server.

I understand that nobody gets access to maint unless iptables give access.
The problem remains that even if access is granted by iptables the utils in maint give access to database without the need of a password !
It's my opinion that this even for an admin should never be possible.
I was under the impression that I needed the first login to freepbx as admin using password and only than the utils would give access, but this I found now is not true.
Access to database and setting should always be behind a password. Any utility that gives direct access to this without password is a security problem.
I guess we have a different opinion about this.

Above would also apply to a local server.

The user control panel in freepbx is also meant for access of non admin users to user control panel
In order for these to access the user control panel they must be whitelisted to access the ucp. Automatically these users will also gain access to to maint directory and have full access.
In your current setup even local this means that user control panel is not useable for local users.

I must than assume that the original design was not meant to give regular (trusted) users access to the user control panel ?
unless you wanted to give regular users also uncontrolled access to the maint utilities and being able to change everything there ?

So what it comes down to is that in any setup only an admin local or non local hosting should have access to the webinterface.
No other users should have access to the webinterface unless the maint directory is renamed, deleted or protected in any other way.

I would really suggest to remove to utils in the standard setup and make them optional or really explain this in more detail when installing the incredible pbx setup.

 

[wardmundy]

If the security issues in the last month haven't convinced you that public web access to Incredible PBX and FreePBX is a very bad idea, then you're right. We have very different views about security.

 

[bobmats]

The question about public access web access is an issue and you are right to keep this limited or impossible, we agree on this.

What I wrote also applies to local access to webinterface for normal users.
If you grant local users access to the user control panel. And I assume that the user control panel in a local server situation was meant for this, this also means that these users have unlimited access to maint directory in the current setup.
Please correct me if i'm wrong.

It is my opinion that access to the maint utils without password is a security problem in the current standard setup.
This kind of access should only be possible thru username / password and NEVER without this kind of protection. The only protection, the current standard installed setup offers is ip / firewall based and this is not enough for the current setup.

 

[bobmats]

I think Ward that you missed bobmats' important point. He is stating that, once white listed, any of his users can open a browser and navigate to:
http://<pbx_ip>/maint/phpMyAdmin/
and get full system read/write access WITHOUT entering Apache credentials.

I am not running a Ubuntu system at the moment, but on my Centos system, when I browse to the above URL, I am challenged for Apache credentials and get banned if I fail too many times.

What you write is correct.

I also have the setup running local in a virtualbox, ubunutu 14 increadible pbx.
Same problem here local users can also access: http://<pbx_ip>/maint/phpMyAdmin/
if granted access to the web interface any user can access maint without protection.

 

[wardmundy]

I think Ward that you missed bobmats' important point. He is stating that, once white listed, any of his users can open a browser and navigate to:
http://<pbx_ip>/maint/phpMyAdmin/
and get full system read/write access WITHOUT entering Apache credentials.

I am not running a Ubuntu system at the moment, but on my Centos system, when I browse to the above URL, I am challenged for Apache credentials and get banned if I fail too many times.

This is a stand-alone Incredible PBX system which does not use Apache security (yet).

 

[wardmundy]

I've provided about a half dozen ways to address this if it's of immediate concern. That's as good as it will be for awhile. UCP is a relatively new creation. Let's see how that goes for a bit before we begin (yet another) reengineering effort. As I said, I'm not yet persuaded that web access for end-users is a good idea, period. If so, it needs to be separated off rather than the other way around.

Moving this to the Developer's Forum and we'll see what we see.

 

[sactobob]

After installing Incredible PBX and noticing web access didn't bring up the familiar apache login popup it was simple enough to add the .htaccess/.htpasswd files at the root of the html directory and regain that extra level of security.

I'm curious and not to deviate from original question, but you (ward) also mentioned the "public web access" issue itself, I'm hoping you mean basically just this function(web access)? With a Virtual PBX provided by xyz company the VIP is going to be public. I see fail2ban constantly blocking SIP attempts, but I really like the added port knocking IncrediblePBX adds that makes that pretty much go away! Can't wait to swap this in for my live system, nicely done.

 

[bobmats]

I just installed centos 7 and incredible pbx as I had some did problems using incredible pbx12.

I now noticed the same problem. When going to myip/maint I can just open the phpsetting.
This again means anyone that has access to the webinterface can change the mysql settings.

Also in a local setup user that can access the controlpanel for example voicemail or asteridex can access this.
Seems that this problem is not limited to incredible pbx 12 but also on version 11 / centos 7

.htaccess is an option but needs to be added by the user.

 

[wardmundy]

bobmats: We're working on it as we speak...

See the first section of this week's Nerd Vittles article. Is that what you have in mind??