Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » voice » pbx » security
Trace:
voice:pbx:security

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
voice:pbx:security [2013/09/30 17:27]
gcooper 		— (current)
Line 1: Line 1:
-====== PBX Security ====== 
  
-:!: Only open the required ports and no more to minimize your 'attack surface'. 
- 
-===== SELinux ===== 
- 
-SELinux generally gets in the way, so it is often disabled: 
- 
-<file> 
-setenforce 0 
- 
-vi /etc/selinux/config 
- 
-SELINUX=disabled 
-</file> 
- 
-===== Firewall on the PBX Itself ===== 
- 
-Some or all of the following ports may need to be opened: 
- 
-^Protocol  ^Ports        ^Description                               ^ 
-|TCP       |80           |HTTP                                      | 
-|TCP       |443          |HTTPS                                     | 
-|TCP       |4445         |Flash Operator Panel                      | 
-|TCP       |10000        |Webmin                                    | 
-|UDP       |5060-5061    |SIP                                       | 
-|UDP       |10000-20000  |RTP                                       | 
-|UDP       |4569         |IAX                                       | 
- 
-:!: Two firewall options are Arno's Firewall or the built-in IPtables. 
- 
-==== Arno's Firewall ==== 
- 
-Arno's Firewall is a light weight and comprehensive firewall based on ''iptables'' which is also used in the ASTLinux PBX. 
- 
-See also **[[networking:firewall:arno_s_firewall|Arno's Firewall]]** 
- 
-==== IPtables ==== 
- 
-If you plan to use TFTP or FTP on the PBX itself, load a couple of kernel modules and make them survive reboots: 
- 
-<file> 
-modprobe ip_conntrack_tftp 
-modprobe ip_conntrack_ftp 
-depmod -a 
-</file> 
- 
-Now we modify the default firewall rules in a way that survives reboots. 
- 
-Add these lines right after the 'accept ssh' (port 22) line: 
- 
-<file> 
-vi /etc/sysconfig/iptables 
- 
--A INPUT -m state --state NEW -m tcp -p tcp --dport 8088 -j ACCEPT 
--A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT 
--A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT 
--A INPUT -m state --state NEW -m tcp -p tcp --dport 4445 -j ACCEPT 
--A INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT 
--A INPUT -m state --state NEW -m udp -p udp --dport 5060:5061 -j ACCEPT 
--A INPUT -m state --state NEW -m udp -p udp --dport 10000:20000 -j ACCEPT 
--A INPUT -m state --state NEW -m udp -p udp --dport 4569 -j ACCEPT 
- 
-service iptables reload 
- 
-iptables -nL 
-</file> 
- 
-===== Fail2Ban ===== 
- 
-Fail2Ban is a superior tool that monitors various log files looking for brute force attacks.  Once an attack has been identified, the attacker is blocked from further attempts for a preconfigured period of time. 
- 
-See **[[networking:linux:fail2ban|Fail2Ban]]**. 
- 
-For a base CentOS 6 box, after installing Fail2Ban via the EPEL repo, you can just copy and paste the following in one go to get a basic Fail2Ban installation set up for your PBX: 
- 
-<file> 
-cat << EOF >> /etc/fail2ban/fail2ban.local 
-# Fail2Ban local configuration file 
-# 
-# This file overrides the fail2ban.conf file 
- 
-[Definition] 
-logtarget = /var/log/fail2ban.log 
- 
-EOF 
- 
-cat << EOF >> /etc/fail2ban/jail.local 
-# Fail2Ban local configuration file 
-# 
-# This file overrides the jail.conf file 
- 
-[DEFAULT] 
-ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141 
-bantime  = 600 
-findtime  = 600 
-maxretry = 3 
-backend = auto 
- 
- 
-[asterisk-iptables] 
-enabled  = true 
-filter   = asterisk 
-action   = iptables-allports[name=SIP, protocol=all] 
-#           sendmail-whois[name=SIP, dest=none@yourpbx.com, sender=none@yourpbx.com] 
-logpath  = /var/log/asterisk/fail2ban 
-maxretry = 5 
-bantime = 600 
- 
-[ssh-iptables] 
-enabled  = true 
-filter   = sshd 
-action   = iptables[name=SSH, port=ssh, protocol=tcp] 
-#           sendmail-whois[name=SSH, dest=none@yourpbx.com, sender=none@yourpbx.com] 
-logpath  = /var/log/secure 
-maxretry = 3 
- 
-[apache-tcpwrapper] 
-enabled  = true 
-filter   = apache-auth 
-action   = iptables-allports[name=PBX-GUI, port=http, protocol=tcp] 
-#           sendmail-whois[name=PBX-GUI, dest=none@yourpbx.com, sender=none@yourpbx.com] 
-logpath  = /var/log/httpd/error_log 
-maxretry = 3 
- 
-[vsftpd-iptables] 
-enabled  = true 
-filter   = vsftpd 
-action   = iptables[name=FTP, port=ftp, protocol=tcp] 
-#           sendmail-whois[name=FTP, dest=none@yourpbx.com, sender=none@yourpbx.com] 
-logpath  = /var/log/vsftpd.log 
-maxretry = 3 
-bantime  = 600 
- 
-[apache-badbots] 
-enabled  = true 
-filter   = apache-badbots 
-action   = iptables-multiport[name=BadBots, port="http,https"] 
-#           sendmail-whois[name=PBX GUI, dest=none@yourpbx.com, sender=none@yourpbx.com] 
-logpath  = /var/log/httpd/*access_log 
-bantime  = 600 
-maxretry = 1 
- 
-EOF 
- 
-cat << EOF >> /etc/fail2ban/filter.d/asterisk.conf 
-# Fail2Ban configuration file 
-# 
-# Asterisk Filter - /etc/fail2ban/filter.d/asterisk.conf 
- 
-[INCLUDES] 
- 
-# Read common prefixes. If any customizations available -- read them from 
-# common.local 
-#before = common.conf 
- 
-[Definition] 
- 
-#_daemon = asterisk 
- 
-# Option:  failregex 
-# Notes.:  regex to match the password failures messages in the logfile. The 
-#          host must be matched by a group named "host". The tag "<HOST>" can 
-#          be used for standard IP/hostname matching and is only an alias for 
-#          (?:::f{4,6}:)?(?P<host>\S+) 
-# Values:  TEXT 
-# 
- 
-failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password 
-     Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found 
-     Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL 
-     Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch 
-     Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register 
-     NOTICE.* <HOST> failed to authenticate as '.*'$ 
-     NOTICE.* .*: No registration for peer '.*' (from <HOST>) 
-     NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) 
-     VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*') 
- 
-# Option:  ignoreregex 
-# Notes.:  regex to ignore. If this regex matches, the line is ignored. 
-# Values:  TEXT 
-# 
-ignoreregex = 
- 
-EOF 
- 
-service fail2ban restart 
-</file> 
- 
-===== Digium Recommendations ===== 
- 
-Seven Easy Steps to Better SIP Security on Asterisk: 
- 
-  - Don’t accept SIP authentication requests from all IP addresses. Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements! 
-  - Set “alwaysauthreject=yes” in your sip.conf file. This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks. 
-  - Use STRONG passwords for SIP entities. This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long. 
-  - Block your AMI manager ports. Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters. 
-  - Allow only one or two calls at a time per SIP entity, where possible. At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen. 
-  - Make your SIP usernames different than your extensions. While it is convenient to have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000″) 
-  - Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls.  Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf. 
-  - See more at: http://blogs.digium.com/2009/03/28/sip-security/#sthash.swNSlCKz.dpuf 
voice/pbx/security.1380583657.txt.gz · Last modified: 2013/09/30 17:27 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki