User Tools
voice:pbx:security
This is an old revision of the document!
Table of Contents
PBX Security
Firewall
The following ports may need to be opened:
| Protocol | Ports | Description |
|---|---|---|
| TCP | 80 | HTTP |
| TCP | 443 | HTTPS |
| TCP | 4445 | Flash Operator Panel |
| UDP | 5060-5061 | SIP |
| UDP | 10000-20000 | RTP |
| UDP | 4569 | IAX |
Two firewall options are Arno's Firewall or the built-in IPtables.
Arno's Firewall
Arno's Firewall is a light weight and comprehensive firewall based on iptables which is also used in the ASTLinux PBX.
See also Arno's Firewall
IPtables
Fail2Ban
See Fail2Ban.
For a base CentOS 6.2 box, after installing Fail2Ban via the EPEL repo, you can just copy and paste the following in one go to get a basic Fail2Ban installation set up for your PBX:
cat << EOF >> /etc/fail2ban/fail2ban.local
# Fail2Ban local configuration file
#
# This file overrides the fail2ban.conf file
[Definition]
logtarget = /var/log/fail2ban.log
EOF
cat << EOF >> /etc/fail2ban/jail.local
# Fail2Ban local configuration file
#
# This file overrides the jail.conf file
[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
bantime = 600
findtime = 600
maxretry = 3
backend = auto
[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
# sendmail-whois[name=SIP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath = /var/log/secure
maxretry = 3
[apache-tcpwrapper]
enabled = true
filter = apache-auth
action = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
# sendmail-whois[name=PBX-GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath = /var/log/httpd/error_log
maxretry = 3
[vsftpd-iptables]
enabled = true
filter = vsftpd
action = iptables[name=FTP, port=ftp, protocol=tcp]
# sendmail-whois[name=FTP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath = /var/log/vsftpd.log
maxretry = 3
bantime = 600
[apache-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
# sendmail-whois[name=PBX GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath = /var/log/httpd/*access_log
bantime = 600
maxretry = 1
EOF
cat << EOF >> /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
# Asterisk Filter - /etc/fail2ban/filter.d/asterisk.conf
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' (from <HOST>)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF
service fail2ban restart
voice/pbx/security.1380150641.txt.gz · Last modified: 2013/09/25 17:10 by gcooper
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
