Elastix Universal Scripts for Securing the System

jammerz

Joined
Sep 7, 2009
Messages
75
Likes
0
Points
0
#1
I see a vibrant community with much help by Dicko and others, multiple threads on securing several general items, passwords, IP access, etc though am I missing a thread where someone is pulling all the security stuff together and perhaps scripting it like the pbxinaflash guys started doing a while back and at least ease the burden a bit.

Elastix is a great product though I have always been concerned about the multiple manual efforts in securing it.

I'm not a script guy but I will help. Anyone on the same page here as security seems to be a very high priority with other distros as I believe users are now seeing day to day with Elastix' Distro as well.... a great community product.
 

jammerz

Joined
Sep 7, 2009
Messages
75
Likes
0
Points
0
#2
Eleven views and no replies. Wow. Either you guys have mad / crazy / insane IPTABLES, DDOS proof, Anti root kit skills, that are world renowned and your hiding your scripts or perhaps you enjoy the manual setups each time with your servers or .........

perhaps you are the hacker listening in :eek:hmy:

Kidding... Let me know if your interested... as I would like to participate share some of my time here.

thx in advance.

jf
 

Mathiau

Joined
Jul 16, 2009
Messages
227
Likes
0
Points
0
#3
I think it is a great idea really,but i guess the one issue with scripts is that what may work for one person wont for another.
 

Awesomo

Joined
Nov 5, 2009
Messages
32
Likes
0
Points
0
#4
I disagree. I think a script to incorporate a baseline security configuration would be a great idea and could be applied without incident to most systems.

The first step would be to add everything that should need to be setup/installed. I can think of a few off the top of my head and I'd like others to add to the list. Once we get a complete list, the scripting can start.

Install Fail2Ban and configure it for asterisk
Have a question as to which interface is your outside interface (and ask if you even have an outside interface, if you don't have an outside interface, ask for the single interface), ask what services you are running and then WARN the user if they are opening a high-risk service to the internet.
Setup IP tables to only allow ports specified by the previous question.
Change the default freepbx password
Change the default elastix admin password
Ask a question if the user will want remote extensions or not then
Set allow and deny statements in sip_general_custom according to the answer
Set alwaysauthreject=yes in sip_general_custom
Remind the user to use CRAZY STRONG secrets for all their extensions
Remind the user that a hardware firewall in conjuction with the script is always better.
Remind the user that opening the web interface to the internet is STRONGLY not advisable.


I'm sure I'm leaving stuff out that should be secured/added/installed to make Elastix super strong against attacks. PLEASE add to the list. #1 it would be good to get EVERY tip in one spot on the forums. #2 I'd like to get going on this as my free time comes and goes.
 

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#5
I installed apf/bfd firewall and iptables,then added rules for iax and asterisk sip
http://www.rfxn.com/

They get 3 attempts and banned

Works similar to fail2ban but found apf/bfd picked up on the attempts faster
 

bijoo_75

Joined
May 2, 2007
Messages
21
Likes
0
Points
0

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,915
Messages
130,920
Members
17,593
Latest member
dapoalla
Top