Elastix Universal Scripts for Securing the System

Discussion in 'General' started by jammerz, Sep 7, 2009.

  1. jammerz

    Joined:
    Sep 7, 2009
    Messages:
    75
    Likes Received:
    0
    I see a vibrant community with much help by Dicko and others, multiple threads on securing several general items, passwords, IP access, etc though am I missing a thread where someone is pulling all the security stuff together and perhaps scripting it like the pbxinaflash guys started doing a while back and at least ease the burden a bit.

    Elastix is a great product though I have always been concerned about the multiple manual efforts in securing it.

    I'm not a script guy but I will help. Anyone on the same page here as security seems to be a very high priority with other distros as I believe users are now seeing day to day with Elastix' Distro as well.... a great community product.
     
  2. jammerz

    Joined:
    Sep 7, 2009
    Messages:
    75
    Likes Received:
    0
    Eleven views and no replies. Wow. Either you guys have mad / crazy / insane IPTABLES, DDOS proof, Anti root kit skills, that are world renowned and your hiding your scripts or perhaps you enjoy the manual setups each time with your servers or .........

    perhaps you are the hacker listening in :eek:hmy:

    Kidding... Let me know if your interested... as I would like to participate share some of my time here.

    thx in advance.

    jf
     
  3. Mathiau

    Joined:
    Jul 16, 2009
    Messages:
    227
    Likes Received:
    0
    I think it is a great idea really,but i guess the one issue with scripts is that what may work for one person wont for another.
     
  4. Awesomo

    Joined:
    Nov 5, 2009
    Messages:
    32
    Likes Received:
    0
    I disagree. I think a script to incorporate a baseline security configuration would be a great idea and could be applied without incident to most systems.

    The first step would be to add everything that should need to be setup/installed. I can think of a few off the top of my head and I'd like others to add to the list. Once we get a complete list, the scripting can start.

    Install Fail2Ban and configure it for asterisk
    Have a question as to which interface is your outside interface (and ask if you even have an outside interface, if you don't have an outside interface, ask for the single interface), ask what services you are running and then WARN the user if they are opening a high-risk service to the internet.
    Setup IP tables to only allow ports specified by the previous question.
    Change the default freepbx password
    Change the default elastix admin password
    Ask a question if the user will want remote extensions or not then
    Set allow and deny statements in sip_general_custom according to the answer
    Set alwaysauthreject=yes in sip_general_custom
    Remind the user to use CRAZY STRONG secrets for all their extensions
    Remind the user that a hardware firewall in conjuction with the script is always better.
    Remind the user that opening the web interface to the internet is STRONGLY not advisable.


    I'm sure I'm leaving stuff out that should be secured/added/installed to make Elastix super strong against attacks. PLEASE add to the list. #1 it would be good to get EVERY tip in one spot on the forums. #2 I'd like to get going on this as my free time comes and goes.
     
  5. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    I installed apf/bfd firewall and iptables,then added rules for iax and asterisk sip
    http://www.rfxn.com/

    They get 3 attempts and banned

    Works similar to fail2ban but found apf/bfd picked up on the attempts faster
     
  6. bijoo_75

    Joined:
    May 2, 2007
    Messages:
    21
    Likes Received:
    0

Share This Page