5. Securing your PBX
Securing FreePBX
Work In Progress. Outline:
Passwords (Generally): Use Long passwords (30+ characters) for the root password, the FreePBX web interface, all trunks, and all extensions.
Change FreePBX Web Password: In Admin -> Administrators, create a new user with a name other than "admin" with full privileges. Delete "admin" user. This will protect you against robots that are scanning port 80 for FreePBX installations and hacking the "admin" user.
If you forget your admin password, you can disable the use of passwords temporarily by issuing the following command from the command prompt:
Then access the web interface and change the admin password
When you're ready to start using passwords again, type this at the command prompt:
Change Root Password: From command prompt, type "passwd" without the quotes while logged in as root.
Port Forwarding: Port forwarding is generally not necessary and substantially increases security risks.
If you need remote access to web interface or via SSH, configure a VPN. The FreePBX Distro includes OpenVPN and many routers include PPTP and L2TP.
If you must allow remote access to an IP Phone, consider setting up a FreePBX/Asterisk system at both locations and linking them together with IAX Trunks as described here: Connecting Two FreePBX/Asterisk Systems Together Over the Internet. Register each phone to the local system behind a NAT Router. If there is no way to do that, then consider having two machines at one location. One for all internal phones and external trunks, and the other for external traffic received via port forwarding. Link the two together using IAX Trunks (Connecting Two FreePBX/Asterisk Systems Together Over the Internet). That way, if the external machine is compromised, the internal machine may not be. Configure IPTables and Fail2Ban, restrict SSH access, and consider changing the SIP Signalling Port as described below.
Restrict SSH: Create another user on the Linux machine with a long, unusual name and a long password. Disable root access via SSH. Use su commmand for root access when SSH. Consider changing SSH Port. http://wiki.centos.org/HowTos/Network/SecuringSSH
Change SIP Signalling Port: Settings -> Asterisk SIP Settings -> Bind Port: Change to something other than 5060. If done, all devices must be updated to register to new port.
Configure IPTables: Configure IPTables to restrict inbound traffic to allow only UDP Port 5060 (or whatever you changed it to, above).
See
http://wiki.centos.org/HowTos/Network/IPTables
and
http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial
and
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
Restrict inbound packets to those coming from known static IPs. If the known users have dynamic IPs, have them sign up for DYNDNS or a similar service and use a script like this one to restrict incoming packets to those coming from the known dynamic ips. http://ryanbowlby.com/2009/10/12/dyndns-with-iptables/
Configure Fail2Ban: Fail2Ban is already installed and configured with the FreePBX Distro.
Change RTP Ports: Access Linux command prompt either at the computer or by logging in via SSH:
nano /etc/asterisk/rtp.conf
Change rtpstart and rtpend to alternative ports within 10000 to 20000 range. 4 ports required for each concurrent phone call.
Ctrl-X and then Y to save.
Work In Progress. Outline:
Passwords (Generally): Use Long passwords (30+ characters) for the root password, the FreePBX web interface, all trunks, and all extensions.
Change FreePBX Web Password: In Admin -> Administrators, create a new user with a name other than "admin" with full privileges. Delete "admin" user. This will protect you against robots that are scanning port 80 for FreePBX installations and hacking the "admin" user.
If you forget your admin password, you can disable the use of passwords temporarily by issuing the following command from the command prompt:
| amportal admin auth_none |
|---|
When you're ready to start using passwords again, type this at the command prompt:
| amportal admin auth_database |
|---|
Port Forwarding: Port forwarding is generally not necessary and substantially increases security risks.
If you need remote access to web interface or via SSH, configure a VPN. The FreePBX Distro includes OpenVPN and many routers include PPTP and L2TP.
If you must allow remote access to an IP Phone, consider setting up a FreePBX/Asterisk system at both locations and linking them together with IAX Trunks as described here: Connecting Two FreePBX/Asterisk Systems Together Over the Internet. Register each phone to the local system behind a NAT Router. If there is no way to do that, then consider having two machines at one location. One for all internal phones and external trunks, and the other for external traffic received via port forwarding. Link the two together using IAX Trunks (Connecting Two FreePBX/Asterisk Systems Together Over the Internet). That way, if the external machine is compromised, the internal machine may not be. Configure IPTables and Fail2Ban, restrict SSH access, and consider changing the SIP Signalling Port as described below.
Restrict SSH: Create another user on the Linux machine with a long, unusual name and a long password. Disable root access via SSH. Use su commmand for root access when SSH. Consider changing SSH Port. http://wiki.centos.org/HowTos/Network/SecuringSSH
Change SIP Signalling Port: Settings -> Asterisk SIP Settings -> Bind Port: Change to something other than 5060. If done, all devices must be updated to register to new port.
Configure IPTables: Configure IPTables to restrict inbound traffic to allow only UDP Port 5060 (or whatever you changed it to, above).
See
http://wiki.centos.org/HowTos/Network/IPTables
and
http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial
and
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
Restrict inbound packets to those coming from known static IPs. If the known users have dynamic IPs, have them sign up for DYNDNS or a similar service and use a script like this one to restrict incoming packets to those coming from the known dynamic ips. http://ryanbowlby.com/2009/10/12/dyndns-with-iptables/
Configure Fail2Ban: Fail2Ban is already installed and configured with the FreePBX Distro.
Change RTP Ports: Access Linux command prompt either at the computer or by logging in via SSH:
nano /etc/asterisk/rtp.conf
| ; ; RTP Configuration ; [general] ; ; RTP start and RTP end configure start and end addresses ; These are the addresses where your system will RECEIVE audio and video stream$ ; If you have connections across a firewall, make sure that these are open. ; rtpstart=10000 rtpend=20000 |
|---|
Ctrl-X and then Y to save.
No hay comentarios:
Publicar un comentario