Differences

This shows you the differences between two versions of the page.

--- voice:pbx:security [2013/09/25 17:20]
gcooper
+++ — (current)
@@ Line 1: / Line 1: @@
-====== PBX Security ======
-:!: Only open the required ports and no more to minimize your 'attack surface'.
-===== SELinux =====
-SELinux generally gets in the way, so it is often disabled:
-<file>
-setenforce 0
-vi /etc/selinux/config
-SELINUX=disabled
-</file>
-===== Firewall on the PBX Itself =====
-Some or all of the following ports may need to be opened:
-^Protocol  ^Ports        ^Description                               ^
-|TCP       |80           |HTTP                                      |
-|TCP       |443          |HTTPS                                     |
-|TCP       |4445         |Flash Operator Panel                      |
-|TCP       |10000        |Webmin                                    |
-|UDP       |5060-5061    |SIP                                       |
-|UDP       |10000-20000  |RTP                                       |
-|UDP       |4569         |IAX                                       |
-:!: Two firewall options are Arno's Firewall or the built-in IPtables.
-==== Arno's Firewall ====
-Arno's Firewall is a light weight and comprehensive firewall based on ''iptables'' which is also used in the ASTLinux PBX.
-See also **[[networking:firewall:arno_s_firewall|Arno's Firewall]]**
-==== IPtables ====
-If you plan to use TFTP or FTP on the PBX itself, load a couple of kernel modules and make them survive reboots:
-<file>
-modprobe ip_conntrack_tftp
-modprobe ip_conntrack_ftp
-depmod -a
-</file>
-Now we modify the default firewall rules in a way that survives reboots.
-Add these lines right after the 'accept ssh' (port 22) line:
-<file>
-vi /etc/sysconfig/iptables
--A INPUT -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
--A INPUT -m state --state NEW -m tcp -p tcp --dport 4445 -j ACCEPT
--A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT
--A INPUT -m state --state NEW -m udp -p udp --dport 5060:5061 -j ACCEPT
--A INPUT -m state --state NEW -m udp -p udp --dport 10000:20000 -j ACCEPT
--A INPUT -m state --state NEW -m udp -p udp --dport 4569 -j ACCEPT
-service iptables reload
-iptables -nL
-</file>
-===== Fail2Ban =====
-See **[[networking:linux:fail2ban|Fail2Ban]]**.
-For a base CentOS 6 box, after installing Fail2Ban via the EPEL repo, you can just copy and paste the following in one go to get a basic Fail2Ban installation set up for your PBX:
-<file>
-cat << EOF >> /etc/fail2ban/fail2ban.local
-# Fail2Ban local configuration file
-#
-# This file overrides the fail2ban.conf file
-[Definition]
-logtarget = /var/log/fail2ban.log
-EOF
-cat << EOF >> /etc/fail2ban/jail.local
-# Fail2Ban local configuration file
-#
-# This file overrides the jail.conf file
-[DEFAULT]
-ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
-bantime  = 600
-findtime  = 600
-maxretry = 3
-backend = auto
-[asterisk-iptables]
-enabled  = true
-filter   = asterisk
-action   = iptables-allports[name=SIP, protocol=all]
-#           sendmail-whois[name=SIP, dest=none@yourpbx.com, sender=none@yourpbx.com]
-logpath  = /var/log/asterisk/fail2ban
-maxretry = 5
-bantime = 600
-[ssh-iptables]
-enabled  = true
-filter   = sshd
-action   = iptables[name=SSH, port=ssh, protocol=tcp]
-#           sendmail-whois[name=SSH, dest=none@yourpbx.com, sender=none@yourpbx.com]
-logpath  = /var/log/secure
-maxretry = 3
-[apache-tcpwrapper]
-enabled  = true
-filter   = apache-auth
-action   = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
-#           sendmail-whois[name=PBX-GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
-logpath  = /var/log/httpd/error_log
-maxretry = 3
-[vsftpd-iptables]
-enabled  = true
-filter   = vsftpd
-action   = iptables[name=FTP, port=ftp, protocol=tcp]
-#           sendmail-whois[name=FTP, dest=none@yourpbx.com, sender=none@yourpbx.com]
-logpath  = /var/log/vsftpd.log
-maxretry = 3
-bantime  = 600
-[apache-badbots]
-enabled  = true
-filter   = apache-badbots
-action   = iptables-multiport[name=BadBots, port="http,https"]
-#           sendmail-whois[name=PBX GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
-logpath  = /var/log/httpd/*access_log
-bantime  = 600
-maxretry = 1
-EOF
-cat << EOF >> /etc/fail2ban/filter.d/asterisk.conf
-# Fail2Ban configuration file
-#
-# Asterisk Filter - /etc/fail2ban/filter.d/asterisk.conf
-[INCLUDES]
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-#before = common.conf
-[Definition]
-#_daemon = asterisk
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
-# Values:  TEXT
-#
-failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
-	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
-	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
-	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
-	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
-	    NOTICE.* <HOST> failed to authenticate as '.*'$
-	    NOTICE.* .*: No registration for peer '.*' (from <HOST>)
-	    NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
-	    VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =
-EOF
-service fail2ban restart
-</file>

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools