colocate a switch only opening certain ports

Discussion in 'General' started by franklin, Dec 7, 2010.

  1. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    I am told by my data center that they can close off all ports except those I designate. What would be the problem of putting a switch on a rack with no router in front (installing Fail2Ban)and telling the collocation data center to only open 5060 UDP, 10K-20K UDP/22 and 23 for SSH/Telnet? How would I handle an HTTPS port to get into the Elastix GUI and for the user ARI interface? Then use 16 char passwords (with letters, chars, and numbers) for access into everything but ARI (maybe require 6 digits). I saw dicko recommended changing the SSH port. He also shows some back doors into Elastix.

    Trying to get away from a router at the colo. They really have their own. It's just set wide open. If I tell them to close it down except for the ports I need is that safe?

    Thanks.
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    https runs on 443 tcp, but feel free to change it. Consider limiting access by ip in the httpd conf files.

    ARI is at https:/<server>/recordings (if it works in your Elastix) and can only use numeric passwords (the voicemail password) apart from the well-know admin one.

    If you mean AMI tcp/5038 you are open to immediate fraud as there are any number of well known accounts/passwords.

    Yes, change ssh to another port set up key authentication and turn off password authentication and root logon.

    leaving 5060/udp open to the world is very risky however if you don't have a firewall you should at least explore changing the SIP port with your carrier.

    Telnet is not needed or used in Elastix and should NEVER be exposed to the internet due to it's intrinsic security issues.

    Personally a data-center without a firewall or a server in a data center without a firewall is much like giving a taliban soldier some yellow-cake, i.e. really not advised. You really need one.
     
  3. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Yellow Cake. Funny. Seems like a big pain to try and do this. Probably just get a simple router and stick it in front. Currently I have a Cisco SMB router, but adding another switch to my rack. Don't want to spend a lot. Trend Net has a unit for about $59.95 that looks like it will do everything I need. I've used them before without trouble to SIP. In this installation I am going to install Fail2Ban per instructions here, put router in front as I always do. Forward 5060 and 10K/20K UDP to my private LAN address of the switch. I've read a few of your posts here on Security. Anything else I should do. By the way, how do I change the port used for SSH on my box? Thanks.
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    ssh port defined in

    /etc/ssh/sshd_config


    as is root password allowed etc. service restart sshd after changing it.

    The pain you experience installing a firewall now is directly and inversely proportional to the pain you will experience in the near future if you don't. That curve is also asymptotic, no effort now, infinite pain later.
     
  5. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Another nice thing about a firewall is that it can include VPN. That way you can leave several ports (like ssh) closed to the world at large.
     
  6. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Understood. And thanks.

    Sorry if I appear obtuse, but what would be the difference between the colo locking down all ports but those I designate on their router (it is afterall an enterprise-class Cisco unit -- not sure which model, but they say they can lock down/block anything they want and only open what I designate) and only opening those ports I designate on my own firewall/router?

    Say I change my SIP signaling to 5xxx or 6xxx from my SIP provider (my provider authenticates by IP), designate that on the switch where you say, then have the colo open 5xxx UDP, 10K-20K UDP, 443 tcp, and maybe the port for TFTP, what's the difference? I can see that TFTP might be a problem, perhaps you can address the security aspect of that. I can set a password on the Polycom phones for the server.

    I trust your word as the final authority around here, but please indulge me if you can and tell me how the two scenarios differ.

    Many thanks.
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    A decent firewall will handle restrictions by port, protocol, ip space, load, connection state, it will filter and forward (or not) any traffic, it can mangle and masquerade (translate) all the above.

    Opening tftp to the world is very dangerous. the T stands for trivial, there is no check made on the requestor, so "getting" any of the numerous base configs (all with "well-known" names) for many deployed hardwares will expose your underwear to the world. If you enable server opts -c (create) in the config files you are even more vulnerable. There are several well known sub-directories that might also expose more than you want.

    So tftp without a firewall is giving the dude the centrifuge also.
     
  8. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    Okay. I will not try to collocate without a firewall. Can you tell me how to secure TFTP? My phones register from the outside to the public IP of my router. The Polycom phones have a password feature, but I have not used it. Can you give me any advice on this? Thanks.
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Limit access to the tftp server by IP space, or if using Polycoms, by default they use https just add the .cfg et al files appropriately to your web server.
     
  10. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    I'm not sure what you mean by add the .cfg files to my webserver. I put all the files in tftpboot now. Point the phones to the IP of the router which is forwarding on TFTP to the static address of the switch on the LAN. Using TFTP on the Polycom. How do I use https?
     
  11. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The Polycom's can be set up to retrieve their configuration files by ftp, tftp, https and possibly http (sorry I suffer from CRS, so I might be wrong there) you will find how to do that in the phones' http miniserver, by default they use https after a factory default, apparently you have already learned to change that to a tftp server, feel free to re-change that also.

    Howvere, that, as we used to say, will be up to the student to learn to configure and use such other protocols to suit.

    ;)

    dicko
     
  12. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    So where would I put all the polycom files? Now they are in tftpboot. It seems to me if I am using https they would have to go somewhere else? Thanks.
     
  13. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    If you use tftp they will indeed by default belong in /tftpboot

    if you use any other protocol they will belong in the directory you have provisioned your phones to look in, on the server that you choose to use, with the necessary authorities (username/password) you care to use, it's really quite simple but does require a little RTFM'ing.

    Is it possible that you are as yet "out of your depth", if so , and respectfully, you need to fix that, there are plenty of tutorials out there, and this forum is to support Elastix, which uses tftpd to do that provisioning. So again, and respectfully, please turn to google, he is your friend. Ultimately I am sure you will prevail, but unfortunately there are no free rides here, you will have to learn this trade from the bottom up or miss the whole point.


    dicko
     

Share This Page