This is a resurrection of two (lost) posts which offer some thoughts on security
This is NOT a HowTo, and must not be relied upon. Just see it as a starting point - if in doubt read up and ask!
Unfortunately a lot of the background discussions will have been lost, but i am sure it will be raised again as time goes on.
Original Posting was asking about how to secure a Public Facing PBXIAF box.
1- posted by turalo:-
There are many many many pages written about this. You should search the forum, and google. Piaf has many manuals on how to secure it all.
but just to guide you to the next part,
1. If possible put a hardware firewall in front of it (put the PIAF behind a firewall)
2. Do not use standart ports, change your http/www port to something diferent than 80, change your ssh ports.
3. Use firewall white list, so only listed IP's have acces to the server.
4. change all default passwords on the system, use very dificult long passwords.
5. Disable anonymous calls in to the system.
6. Use the known HTTP securty options like .httpacces file etc... to extra secure the web.
this is just the default.
I my self have few PIAFS online on Public IP without firewall, but I have all my ports changed and no services except the needed services by voip are running, so httpd is disabled, when I need it I start it via ssh. and server accepts only voip requests. even then sometimes I get attacked few thousand times in a day but thanks to Fail2Ban which is by default enabled on PIAF most of attacks get blocked, I have verry strickt rules in Fail2Ban, 1 wrong try and you are banned at least for 3 days.
so I hope this is helpfull.
to find out how to do this all, use google, or search the forum, this all is also on http://nerdvittles.com/
2 - posted by krakastan
I have gleaned the following mainly from hereabouts, adapted for use on RentPbx, and would offer the following thoughts:-
This is a braindump on security from my checklist for Green; Asterisk 11; FPBX 2.11:-
Useful Links:
PBX in a Flash 2.0.6.3
IncrediblePBX11
TravelinMan3
Some changes I have made:-
Webmin:
Create a firewall rule to allow admin from your site (see link to firewall thread below)
Webmin/ports and config xxxxx
Servers/SSH all addresses port yyyyy
Server/Apache GlobalConfig ports 443, zzzzz
Hardware/SystemTime: Default timesserver;0.uk.pool.ntp.org - SuptHwTime=no Tzone=??
LandingPAge/Admin/MenuConfiguration : set p-a-s-s-w-o-r-d
SipSettings:
Allow Guest Yes
Allow Anon Yes (NB Create CatchAll InboundRoute=TerminateCall-HU)
Advanced Settings:
Dashboard Non-Std SSH Port yyyyy
Extensions:
Use long/Complex passwords
Set Permit/Deny IPs
The Allow Anon Users & Guests setting can cause some discussion. I have adopted the view that allowing and using a catchall to terminate call is preferable for me.
I do use permit/deny ip's in (most) extensions, although some have said this might be overkill
Make sure all passwords (root, maint, etc) are long and complex, and not default!.
Develop a thick skin with regard to hardware firewall statements which are plentiful but do not apply to RentPbx (and other) solutions (it is fair that this is reiterated often, and most understand that it is not an option on rentpbx, so alternatives must be found)
Do not use auto top up cards on voip accounts (personally i do:- several accounts on a dedicated card. this means i can monitor one balance and do one top up for all my voip accounts (usually monthly).
It only has limited funds on it which i am prepared to risk in return for the convenience.... [note- accepting the risk is the key ]
Specifically on the firewall - i will be resurrecting a separate post on this - now here
Hope this is of use - it is your risk!
This is NOT a HowTo, and must not be relied upon. Just see it as a starting point - if in doubt read up and ask!
Unfortunately a lot of the background discussions will have been lost, but i am sure it will be raised again as time goes on.
Original Posting was asking about how to secure a Public Facing PBXIAF box.
1- posted by turalo:-
There are many many many pages written about this. You should search the forum, and google. Piaf has many manuals on how to secure it all.
but just to guide you to the next part,
1. If possible put a hardware firewall in front of it (put the PIAF behind a firewall)
2. Do not use standart ports, change your http/www port to something diferent than 80, change your ssh ports.
3. Use firewall white list, so only listed IP's have acces to the server.
4. change all default passwords on the system, use very dificult long passwords.
5. Disable anonymous calls in to the system.
6. Use the known HTTP securty options like .httpacces file etc... to extra secure the web.
this is just the default.
I my self have few PIAFS online on Public IP without firewall, but I have all my ports changed and no services except the needed services by voip are running, so httpd is disabled, when I need it I start it via ssh. and server accepts only voip requests. even then sometimes I get attacked few thousand times in a day but thanks to Fail2Ban which is by default enabled on PIAF most of attacks get blocked, I have verry strickt rules in Fail2Ban, 1 wrong try and you are banned at least for 3 days.
so I hope this is helpfull.
to find out how to do this all, use google, or search the forum, this all is also on http://nerdvittles.com/
2 - posted by krakastan
I have gleaned the following mainly from hereabouts, adapted for use on RentPbx, and would offer the following thoughts:-
This is a braindump on security from my checklist for Green; Asterisk 11; FPBX 2.11:-
Useful Links:
PBX in a Flash 2.0.6.3
IncrediblePBX11
TravelinMan3
Some changes I have made:-
Webmin:
Create a firewall rule to allow admin from your site (see link to firewall thread below)
Webmin/ports and config xxxxx
Servers/SSH all addresses port yyyyy
Server/Apache GlobalConfig ports 443, zzzzz
Hardware/SystemTime: Default timesserver;0.uk.pool.ntp.org - SuptHwTime=no Tzone=??
LandingPAge/Admin/MenuConfiguration : set p-a-s-s-w-o-r-d
SipSettings:
Allow Guest Yes
Allow Anon Yes (NB Create CatchAll InboundRoute=TerminateCall-HU)
Advanced Settings:
Dashboard Non-Std SSH Port yyyyy
Extensions:
Use long/Complex passwords
Set Permit/Deny IPs
The Allow Anon Users & Guests setting can cause some discussion. I have adopted the view that allowing and using a catchall to terminate call is preferable for me.
I do use permit/deny ip's in (most) extensions, although some have said this might be overkill
Make sure all passwords (root, maint, etc) are long and complex, and not default!.
Develop a thick skin with regard to hardware firewall statements which are plentiful but do not apply to RentPbx (and other) solutions (it is fair that this is reiterated often, and most understand that it is not an option on rentpbx, so alternatives must be found)
Do not use auto top up cards on voip accounts (personally i do:- several accounts on a dedicated card. this means i can monitor one balance and do one top up for all my voip accounts (usually monthly).
It only has limited funds on it which i am prepared to risk in return for the convenience.... [note- accepting the risk is the key ]
Specifically on the firewall - i will be resurrecting a separate post on this - now here
Hope this is of use - it is your risk!