wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
We've completed work on a new OpenVZ template (871.20 MB) for PIAF-Purple with CentOS 5.7, Asterisk 1.8.6.0, and the latest modules for FreePBX 2.8 including tm1000's Google Voice GUI update from this past week. You can build virtual machines in under 2 minutes flat. And they boot up in about 1 minute. We've also installed Tom King's latest Apache, PHP, PHPMyAdmin modules on top of CentOS 5.7. This should address all known exploits... for today. The template also includes EndPoint Manager, CallerID Superfecta, AsteriDex, Telephone Reminders, and Hotel WakeUp Call FreePBX modules. We need a few testers for this latest upgrade to CentOS 5.7 and would welcome your suggestions/additions/deletions.
If you're using this with Proxmox, be sure to run your Proxmox server behind a secure hardware-based firewall with no Internet port exposure. Reportedly, any current version of Proxmox with OpenVZ is extremely vulnerable to a root exploit because of the kernel being used. Once an attacker takes over your Proxmox server, ALL of your virtual machines are 100% vulnerable! If you need Internet access to a Proxmox server, do it only with a WhiteList of safe IP addresses or a VPN. For details on the web vulnerability, read this thread and this one.
Because of Tom's Apache and PHP patches, we think the actual OpenVZ virtual machines created with this new template are safer for Internet exposure individually; however, we ALWAYS recommend not exposing any virtual machine to wholesale Internet access. It is NOT necessary to make or receive phone calls! If you do need Internet access for admin or a remote phone, use IPtables on the virtual machine to create a WhiteList!!!
PROXMOX INSTALL INSTRUCTIONS:
To load the new PIAF-OpenVZ template with CentOS 5.7 on your Proxmox server, log into the server as root and issue these commands:
To load the new PIAF-OpenVZ template with CentOS 5.5 on your Proxmox server, log into the server as root and issue these commands:
UPDATE: Both the CentOS 5.5 and 5.7 templates now are also available from SourceForge.
To create a new OpenVZ virtual machine using the new template, use the Proxmox browser interface: Virtual Machine, Create:
Here's a sample of what the Create VM form should look like:
SECURING IPTABLES FIREWALL:
As mentioned, we recommend running all of your virtual machines behind a secure, hardware-based firewall with NO Internet exposure. If your virtual machine is actually running on a hosted server on the Internet, this may not be possible. You still can make your virtual machine rock-solid secure with the included IPtables firewall. Here's how.
Log into your server as root. Edit /etc/sysconfig/iptables:
1. Remove existing access to the dangerous ports
2. Add WhiteList IP addresses for the locations where you need access for admin or remote phone access
To remove access to dangerous ports, change:
to this:
To add WhiteList IP addresses for sites from which you need access to the server for admin or phones, find the section of the file that looks like this:
Add entries just below the existing series that look like this using your actual IP addresses:
FINAL IMPORTANT STEPS:
1. Be sure you have added a WhiteList entry for the IP address you're using to access your server, or you will lock yourself out!
2. Then, restart your firewall to load the new settings: service iptables restart
3. Verify that your new settings are working and are what you expected to see: iptables -nL
4. Attempt to access your virtual machine's web interface using the browser on your cellphone (assuming it is not in your WhiteList). This will validate that the firewall is working properly by denying you access.
KNOWN QUIRKS:
The status display isn't quite right. This is what displays on a Proxmox VM with IPtables up and running. The third step above will verify it for you:
If you're using this with Proxmox, be sure to run your Proxmox server behind a secure hardware-based firewall with no Internet port exposure. Reportedly, any current version of Proxmox with OpenVZ is extremely vulnerable to a root exploit because of the kernel being used. Once an attacker takes over your Proxmox server, ALL of your virtual machines are 100% vulnerable! If you need Internet access to a Proxmox server, do it only with a WhiteList of safe IP addresses or a VPN. For details on the web vulnerability, read this thread and this one.
Because of Tom's Apache and PHP patches, we think the actual OpenVZ virtual machines created with this new template are safer for Internet exposure individually; however, we ALWAYS recommend not exposing any virtual machine to wholesale Internet access. It is NOT necessary to make or receive phone calls! If you do need Internet access for admin or a remote phone, use IPtables on the virtual machine to create a WhiteList!!!
PROXMOX INSTALL INSTRUCTIONS:
To load the new PIAF-OpenVZ template with CentOS 5.7 on your Proxmox server, log into the server as root and issue these commands:
cd /var/lib/vz/template/cache
wget http://nerd.bz/nFhdxG
To load the new PIAF-OpenVZ template with CentOS 5.5 on your Proxmox server, log into the server as root and issue these commands:
cd /var/lib/vz/template/cache
wget http://nerd.bz/p45qzi
UPDATE: Both the CentOS 5.5 and 5.7 templates now are also available from SourceForge.
To create a new OpenVZ virtual machine using the new template, use the Proxmox browser interface: Virtual Machine, Create:
Create OpenVZ-type container using new template
disk space 25
memory 512
swap 512
hostname (your choice)
password (your choice; pw for FreePBX is password11; use passwd-master to change it)
Change Network Type to Bridged Ethernet veth
DNS domain: pbxinaflash.net
Bridge: vmbr0
Mac Address: use default
DNS Server: 8.8.8.8
2d DNS: 8.8.4.4
Here's a sample of what the Create VM form should look like:
SECURING IPTABLES FIREWALL:
As mentioned, we recommend running all of your virtual machines behind a secure, hardware-based firewall with NO Internet exposure. If your virtual machine is actually running on a hosted server on the Internet, this may not be possible. You still can make your virtual machine rock-solid secure with the included IPtables firewall. Here's how.
Log into your server as root. Edit /etc/sysconfig/iptables:
1. Remove existing access to the dangerous ports
2. Add WhiteList IP addresses for the locations where you need access for admin or remote phone access
To remove access to dangerous ports, change:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
to this:
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
#-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
#-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT
#-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
To add WhiteList IP addresses for sites from which you need access to the server for admin or phones, find the section of the file that looks like this:
-A INPUT -s 192.168.0.0/255.255.0.0 -j ACCEPT
-A INPUT -s 172.16.0.0/255.240.0.0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
Add entries just below the existing series that look like this using your actual IP addresses:
-A INPUT -s 111.222.111.222 -j ACCEPT
FINAL IMPORTANT STEPS:
1. Be sure you have added a WhiteList entry for the IP address you're using to access your server, or you will lock yourself out!
2. Then, restart your firewall to load the new settings: service iptables restart
3. Verify that your new settings are working and are what you expected to see: iptables -nL
4. Attempt to access your virtual machine's web interface using the browser on your cellphone (assuming it is not in your WhiteList). This will validate that the firewall is working properly by denying you access.
KNOWN QUIRKS:
The status display isn't quite right. This is what displays on a Proxmox VM with IPtables up and running. The third step above will verify it for you:
Last edited by a moderator: