VOIP etc > Voice Over IP - VOIP > VOIP Tech Chat > [Asterisk] FreePBX a couple of security questions

[Asterisk] FreePBX a couple of security questions

Played with it some more.. Yeah, I'm bad lol.. Disabled root login via ssh (figured that would also be a good security tweak before looking into the cookbooks). That brings a couple more questions.

3) Is there a firewall package that I can use instead of IPTABLES that is a bit less cumbersome and easier to tweak (for example by editing config files)? A front end will also do.

4) What's your take on webmin? Helpful or a liability?

5) Any recommendations on security hardening cookbooks for a pbx?
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw

I would put the freepbx box behind a real firewall and forward whatever ports you need (protected by the appropriate restrictions.)

reply to FiReSTaRT
Everything you need to know about asterisk plus more.

»ofps.oreilly.com/titles/97805965···dex.html
--
[nUll@dcypher ~]$

reply to druber

reply to FiReSTaRT

reply to FiReSTaRT

Thanks guys. It looks like I'm slowly getting there. Experienced GNU/Linux desktop user, but I haven't administered anything open to the Internet so far and am still dependent on many gui tools. Thanks for the config file location. All of the iptables for dummies pages I came across just involved setting up iptables directly in the CLI without any mention of editing config files. Looks like I missed some lol.

One big deal that I'm also missing is changing the SIP usernames (they currently are the x numbers lol). I think I got all of the default passwords out of the way, but my system is nowhere near ready for live testing.
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw

I just found out that FreePBX doesn't allow a different SIP usernames other than the extension numbers. What are your thoughts on the sufficiency of having alwaysauthreject=yes as a security measure for this issue (along with strong passwds)?

reply to FiReSTaRT
You dont allow anything to be fully open to the internet. Just forward the required ports to your asterisk server and than let that server handle the security appropriately. My server only talks to callcentric and voip.ms any body out side of that will get drop silently.

Extension numbers are not usernames. You should never use your extension numbers as user names. I use mac addresses as my device names.

alwaysauthreject=yes is all ways a good idea to use unless you like your phones to be ringing when been probe.... strong passwords are a must.
--
[nUll@dcypher ~]$

reply to FiReSTaRT

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:yourpbx.dns.name" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport 16828:16934 -j ACCEPT  <-- SET YOUR RTP RANGE HERE
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -s 1.2.3.4 -m state --state NEW --dport 22 -j ACCEPT   <---  Set a trusted IP to access the box only
-A INPUT -p tcp -s 1.2.3.4 -m state --state NEW --dport 80 -j ACCEPT   <---  Same for the web interace, ideally this should be 443/HTTPS
-A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p udp -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
COMMIT
 

Good news for me: fail2ban already comes set up on freepbx. First time I tried it about a year ago (I think) on a virtual machine, I thought FreePBX had virtualization issues but now I know it was fail2ban locking me out for unsuccessful auth attempts lol. So far the only ignored IP is my personal workstation on the local network. Here's the current definitive list of security measures that are done or will be done before I open up the FreePBX machine to the Internet..

1) http/https closed on the outside fw, https will be forwarded from some random number port (still haven't chosen the #). Still debating whether to tighten it up over the local network as well.

2) Narrowed rtp port range to about 100 as that should be more than enough to meet our needs and set up the outside firewall rule (but commented it out until the machine is ready for "production" testing)

3) No / login via ssh. Have to guess the regular acct name/passwd before being able to su - and guessing the / passwd. Both passwds strong

4) No ALT-F9 I can't believe they allow that lol

5) alwaysauthreject=yes in /etc/asterisk/sip_general_custom.conf

6) IPTABLES in on the to-do list and thanks for giving me such a great start

7) Changing the MySQL passwd on my to-do list

Any other suggestions would be appreciated.
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw

You mean alt-f9 on the console? Why is that bad? If someone has physical access to the box, they can get root access if they really want it.

reply to FiReSTaRT
In my opinion, only allowing numbers in usernames in FreePBX is inflexible for security reasons.

If you go with just plain Asterisk without FreePBX, you can follow the guide called Asterisk: The Definitive Guide.

And by the way, check this out: Log Excerpts From Account Scanning. This is what happens when FreePBX does not allow alphanumeric usernames.
--
Current Soft Phone (temp): Ekiga (ordered Yealink T22P to switch from Ekiga)
Phone System: Asterisk 1.8; Server: Ubuntu Server 10.04 with Windows Server 2008 R2 Standard as guest

quote:

---

Tip #2: Set alwaysauthreject to yes in the [general] section of /etc/asterisk/sip.conf. This option tells Asterisk to respond as if every account is valid, which makes scanning for valid usernames useless.

---

All of the scans are actually invalid register attempts; Asterisk just needlessly responds to invalidly formatted requests because you don't configure it with a hostname of which it is aware.

Any valid device would register using 1234@pbx.hostname.tld -- all the scans have register attempts to 1234@127.0.0.1 or 1234@10.10.10.10 -- basically IP addresses or invalid hostnames.

If you block those out in iptables, there is really no risk in using numeric extensions. The only way someone is going to get your hostname is if they capture your SIP traffic, and if they are capturing your sip traffic they already have your alphanumeric username if you used that anyway.

Thanks.. Looks like I'll have to really get into the nuts and bolts of iptables. Gonna start with Ubuntu's iptables for dummies, play on a virtual machine and work from there. Of course, more questions than answers, as always..

1) What if I do wanna auth from an airport wifi for example? Is there a secure auth scheme that I can use?

2) Is there a major security item missing from this thread?
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw