HowTo Secure Your VoIP System while still allowing external access

[Lost Trunk]

Talk about sensing condescension... anyway, our big point of disagreement here is over whether Travlin' Man is an "unobtrusive" solution, and that, I would say, is in the eye of the beholder. Some may not think it's a PITA to fire up a computer and browser before you can use your hardware VoIP adapter. Personally, I would find that completely and utterly unacceptable. With a softphone it's another matter entirely.

But that doesn't mean I throw security to the wind. Anyone trying to to a brute-force attack on the passwords on my system had better be prepared to spend several lifetimes on the process, because between fail2ban, the "knock", and some very long, very random passwords, they aren't getting in (unless they find some kind of backdoor into the system, and if they can do that we're all in trouble). Note that I DO use the whitelist approach for things like ssh and Webmin access - I just don't use it for SIP.

Oh, by the way, while we are on the subject of SSH...

For someone who is so security conscious, why is it that by default a PiaF/Incredible installation allows you to log in as root using a password only, from anywhere in the world? I mentioned that to a friend who is much more knowledgeable about security than I am (his duties include network security for the company that employs him) and he said that many new Linux distributions (but not CentOS, apparently) won't even allow you to login as root - they force you to pick a username and then use sudo to perform administrative tasks. That at least forces a brute-force attacker to guess a username and a password, rather than allowing them to assume that they only have to guess the root password. It seems to me THAT is the weakest link in a new PiaF setup, because if I can get in as root I can get to Asterisk's configuration files, and saved in those files are all the user passwords - in plain text! So the first thing anyone not using a hardware firewall should do is setup a whitelist for SSH access (or use something other than root, or change the default ssh port, or some combination of those things) but it seems to me like leaving ssh that insecure by default is not a good thing.

I know you print warning messages during setup but would it not be a good idea, somewhere in the install script, to have the administrator pick a user name and password, then (in the script) set up an account for that user and add that username to the sudoers list, then disable root access to ssh? Or would that cause other problems?

 

[wardmundy]

SSH is protected by Fail2Ban. You're more than welcome to develop a more secure SSH solution and submit it for review.

On all of our servers, we restrict SSH access on the hardware-based firewall using both an obscure port and a whitelist. If you put the whitelist for SSH in iptables, then you've locked yourself out when a dynamic IP address changes if you're on the road. By putting it on the hardware-based firewall, you can change it with a browser.

 

[darmock]

Been down the road you suggested re ssh. Frankly it is a balancing act between usability and security. Generally I turn off the ability to access the root account from anything other than the local machine or thru a vpn pipe which uses encryption along with long random passwords. While not perfect it seems to do the job.

As for the other distros preventing users from using the root account I have a philosophical difference with this approach and would not use an OS that prevented me from logging in as root. Yes it is a bad thing to log in as root and you can cause your machine to melt down and turn into a puddle of goo and should be shot for even suggesting it yada yada yada... I have heard all this before. Reminds me of the argument that people should only learn vi with linux and the GUI is a waste of time.....

Generally with all of the other security along with huge random passwords, fail2ban and iptables along with hardware based firewalls and hardware based security keys (yup I use hardware based tokens on a few of the systems to gain access for the fanatically insecure corporations) not to mention encrypted vpn's my systems are safe for the moment. Course if I am wrong that will be on my head as I chose to make it this way. I already use a mix white lists and blacklists and geoblock most countries already however the blacklist is a pain in the ass. Whitelist is much easier

As for condescension I don't see it. Ward is entitled to his opinion as much as you are. I read his post several times and he is simply stating is opinion based on his substantial expertise. Working with Ward on a daily basis exposes me to his depth of knowledge which I tend to trust. No I am not a fanboy of Ward's he doesn't need any!

Tom

 

[Lost Trunk]

The condescension comment was sort of a backhanded response to Astrosmurfer's suggestion that I was being condescending a couple posts back. Honestly, I don't think anyone is being intentionally condescending (I know I'm not) and you are right, we all have our opinions.

At the end of the day, I guess it just kind of chafes me that there are so many approaches to security and we each have to pick and choose which we will use depending on our unique circumstances and our degree of risk-adverseness, and yet in these forums I sometimes feel like we're in the security paranoia section. It's the little comments like "it's your nickel" and the reminders of the guy who got the $50,000 phone bill (who also, as I recall, didn't look at his call logs for six months), along with the implied suggestion that if we don't follow every security suggestion given, eventually it will be our heads on the block. I would just prefer a somewhat less pushy approach, particularly when it comes to solutions that I absolutely would never under any circumstances impose on users.

One thing that Ward has sort of alluded to in this thread and others is that PiaF is not really designed to be run on a virtual machine at a remote location, where there is no hardware firewall. And while that may be true, the problem is that right now PiaF offers the only distribution that includes FreePBX and Asterisk 1.8. And five or six years ago, I'm sure people were saying that Asterisk itself was not designed for home use (and I know that some Asterisk purists had a fit when Asterisk@Home came along, and suddenly people could set up a PBX without writing their own dial plans and configuration files). So, there is always going to be someone using your software in a way you never anticipated. Sometimes we have to make the best choices from what's available, even if it isn't perfect (and what software is?). For some setups a whitelist would be a great solution, for others it simply would not work. As they used to say many years ago, "different strokes for different folks."

 

[wardmundy]

It's all about choices. With PBX in a Flash, you've got lots of them. Many users don't have your skill set so we have to build solutions that work for a lot of folks that are just getting started. If those solutions don't happen to work for you, that is absolutely fine. As I said at the outset, we're not trying to ram anything down anyone's throat. But being aware that some people have ended up with $100,000 phone bills from screwing up is worth mentioning to people just getting started. That doesn't mean you're not smart enough to figure it out, but some aren't... at least yet.

You've kinda ignored my suggestion to simply enable an ISP's entire subnet to solve access for the remote mom or grandma's phone. That approach certainly avoids having to use Travelin' Man ever which seems to be important in your particular case.

From my vantage point, security is like a bundle of sticks. Pick as many or as few of the available tools as you like so long as, at the end of the day, you can sleep well and afford the phone bill.

 

[Lost Trunk]

You've kinda ignored my suggestion to simply enable an ISP's entire subnet to solve access for the remote mom or grandma's phone. That approach certainly avoids having to use Travelin' Man ever which seems to be important in your particular case.

Not ignored it so much as I'm not sure how you conclusively determine what IP ranges any given ISP might use. I suspect there are probably sites that give that information, because there are sites out there than can tell you what ISP you are using and (roughly) where you are located just from your IP address (http://www.maxmind.com/app/locate_demo_ip, for example). But while such sites can give you that data for a single IP address, I'm not sure offhand how you'd get a valid IP range for provider X in state Y, just as an example. In this case it's like having the "reverse white pages" without having the original the original white pages - you can get the data going one way (all the data associated with a particular address, if you already know the address) - but not the other way (you can't get the broad overview, as far as I know). If you or anyone knows of a site that provides this kind of information, I'd love to know about it.

 

[wardmundy]

Just contact the provider and explain the situation. We've had no problem getting the info from Comcast and Time Warner. No real reason for any provider to hide the information particularly from a paying customer.

 

[bmore]

and yet in these forums I sometimes feel like we're in the security paranoia section. It's the little comments like "it's your nickel" and the reminders of the guy who got the $50,000 phone bill (who also, as I recall, didn't look at his call logs for six months), along with the implied suggestion that if we don't follow every security suggestion given, eventually it will be our heads on the block. I would just prefer a somewhat less pushy approach, particularly when it comes to solutions that I absolutely would never under any circumstances impose on users.

I think you are mixing 2 issues together. As an end user you are free to select which method you want to impose on yourself, business or clients... whatever method works for you and you are comfortable with.

However from the designers of the product (Ward, Tom et.al) they would be very irresponsible to release a product which was not paranoid about security. Recall the concept... pbx in a flash? This means many users are using the product with little technical expertise much less linux security expertise. Given the fact that such users can very easily face phone bills of many thousands of dollars with an insecure pbx... the responsible software developer should be 'paranoid' about security.

Remember, just because you are paranoid does not mean they are not watching you :alucardb:

 

[jeffmac]

Alright guys, I've been watching this thread closely. I'm running 1.7.5.5.3 Gold, and I've been safe behind my hardware firewall with no ports forwarded.

But now I'm going to have to add a remote SIP extension and I'm curious about the minimum I need to change in iptables.

As I've understood it, we didn't need to open ports to allow our providers access, because we register with them (outbound) and when they pass an INVITE inbound, the router (and I presumed) iptables allowed it.

Now, the Sunshinenetworks article suggests that I need rules to allow the providers' IP addresses -which sounds like way too much maintenance for me. My primary provider can send me calls from three different IP addresses, and I usually have several others in some state of tryout...

As I said - I just want to identify the minimum...

As I read iptables doc (and I am over my head here as I've not worked in iptables before) it seems that I need to remove the rule that accepts UDP from 5000:5082, as I believe that rule accepts the packet without going through the "door" chain, which is at the bottom of the filter chain. I think I should probably replace it with a rule to accept anything from my local (private) range so I don't have to change "in house" equipment.

Having removed that rule (which was provided by PIAF) then here's what I think I need:
iptables -N door
iptables -I door 1 -p udp --dport 5060 -m string --string "mysecretpass" --algo bm -m recent --set --name portisnowopen
iptables -A INPUT -p udp --dport 5060 -m recent --rcheck --seconds 4000 --name portisnowopen -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j door
iptables -A INPUT -p udp --dport 5060 -j DROP
service iptables save <== this I understand saves the file

Am I on the right track here? I think the rest of the iptables chain that comes with PIAF is goodness, and, of course, Sunshinenetworks' example makes no presumption that there is any particular iptables rules in effect. And I shouldn't have to deal with inbound REGISTER requests for existing providers/trunks, as I have never had a port open that would allow them through the firewall.

Jeff

 

[bmore]

The firewall whitelist is meant for situations where there is no hardware firewall controlling sip traffic such as if you are using a hosted pbx... Or for whatever reason there is no hardware firewall.

If you have a hardware firewall or if you are running iptables configured to only allow traffic originating from behind the firewall, the only ports you need to open are those related to the external extensions. Note that these are the same ports hackers attack to login to your pbx.

In your case implementing the sunshinenetworks knock would be sufficient. It opens the ports but only for traffic from/to the extensions that 'knock'.

 

[kwest]

Dph-540 Wi-fi Phone

Dear forum readers,

We have recently added a how-to article on our website which explains a new and easy way to secure your VoIP server while still allowing external access into your Asterisk server. We have been using it for quite a while for our customers and it works like a charm. It doesn't rely on other packages or daemons either, just iptables which is included in most Linux distributions. Any comments are appreciated, and if you like our articles, please thank us by pressing "like" in the article.

http://www.sunshinenetworks.com.au/...p-server-with-the-sunshinenetworks-knock.html

I tried this method with a sipura2000 and it works great! I have a Dlink DPH-540 WI-FI PHONE and it does not have a place to enter a secret password, it has no display field, it only has a field for phone number,Auth ID and Auth Password. Is there any way to make this work other than the display field? anyone tried yet?

 

[TonyN]

Today I saw this log in Asterisk reports:
7. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
8. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:17
9. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:17
10. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:18
11. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:18
12. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:18
13. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
14. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:18
15. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
16. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
17. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
18. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
19. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:20
20. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:20
21. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:20
22. 2011-01-14 20:49:53 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:11
23. 2011-01-14 20:49:52 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:17
24. 2011-01-14 20:49:52 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19
25. 2011-01-14 20:49:52 SIP/194.28... asterisk "asterisk" <asterisk> s ANSWERED 00:19

Hundred lines of them (I post here a few). The SIP IP is 194.28.112.27 (from Moldova??) I don't know what this means to my PIAF system in term of security. Can anyone shed some lights?

 

[wardmundy]

We had the same visitor. Busy bee.

 

[TonyN]

Busy bee keeps busily biting my busy server. How could I put him in blacklist?

 

[jmullinix]

Block his address at your firewall.

 

[wardmundy]

http://pbxinaflash.com/community/threads/firewall-blacklist-whitelist.8735/?t=8735