Hi
To clear up one point, Tom is the Guru behind passwd-master.
The point about all of this, is that your PBX is simply another network application, and should be treated as such. The main issue is that being hacked is not just an inconvenience, it can be expensive.
The tools that are provided with the PBX are just the the basics or a starting point for security - there is shedloads more work to do to tighten it all down.
Looking at the firewall rules in Webmin shows what ports are open on the PBX - and you need to close them down one by one, either using the linux firewall, or your external firewall.
Lets look at each one in turn: -
1. SSH - ports 22 and 9022 - do you need access from the outside world - can you use an existing VPN solution to get access to the network, if not, you can move the entry points to another port - but obscurity is not security, so get a copy of puttygen from here -
http://www.chiark.greenend.org.uk/~s.../download.html and disallow username password access via webmin, and only enter using your public / private key. Therefore no SSH passwords to hack.
2 80 and 9080 - do you need web access to the server from outside your building - did you know with Putty, you can use SSH tunnelling, and pass the traffic through that. so they can be closed off.
3. 443 -thats SSL, it's only in there for my A2Billing apps so I can use Paypal - remove it, unless you are using https.
4. 9001 - that's webmin - again you can use an SSH tunnel - and you can switch the service off - service webmin stop. Close the port.
5. 4569 - the IAX port - I open it sometimes for test calls, but close it afterwards - you do not need this port open unless some external IAX device or asterisk server is going to access the system. If the other end is on a fixed IP, you can use the deny=0.0.0.0/0.0.0.0 which denies everything from the outside, and permit 123.123.123.123/255.255.255.255 to only allow from a particlular IP address where 123... is your IP address. this is done in the trunk or extension definition. You might as well close down the firewall as well to all places but your other IAX device. If your server is sending traffic out to a IAX carrier, like ours, then you DO NOT NEED TO OPEN ANY ports. - The act of registration keeps the NAT device and firewall open to that IP for inbound calls.
6. 5000-5082 and 10,000 to 20,000 - the SIP ports - you are ging to have to open these ports if you are using a SIP carrier - so use permit and deny on all your sip extensions and trunks, use fail2ban, use secure passwords, and in the external firewall, only allow traffic from your carrier. If you need external extensions, consider using a VPN or Hamachi tunnel - or putting another PBX at the other end and do IAX trunking. Think carefully about allowig remote extensions.
7. 4445 - FOP - do you need access to FOP from the outside?
8. 123 - Timeserver - do you need access to this from the outside?
9. 69 - TFTP - do you need access from the outside?
These are all the entry points there are.
Do an audit on these, and you should be good to go, and relatively safe.
Joe
Linear Mode
