Helping the new user make Elastix more secure

Discussion in 'General' started by Chilling_Silence, Feb 23, 2009.

  1. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    This is a potential feature request, one that'd be great in 1.5 I think ;)

    Basically, I know that most people when they start out create an Ext of 700 (For example) and a password that is the same as the Ext.
    Why? Its easy to remember!

    However, its also highly insecure, and possibly one of the worst things you can do if you're opening your box up to the outside world.

    So, two features:
    1) When logging in as Admin for the first time, you're prompted to change the default Admin password to a more secure one, similar to the way DD-WRT Firmware does when you first flash it to your router
    Why? Admin is one of the 3 most common Usernames for a WebGUI (Admin, root, Administrator) and so if you have a default password and you open your box up to the world, then chances of surviving are much less than if you're asked to change it.

    2) When creating Ext's, have it check the Secret as it is entered. If its <5 chars, or the same as the Ext, it should flash up with a big X beside it and a short message saying "Secret insecure, click here to find out more". There could also potentially be a 'generate' button beside it which populates the Secret field with a password thats 8-chars long* and a mix of random letters & numbers.
    Why? More secure end-points :)

    Anybody else think it would potentially be a good idea? Or am I alone on this one?

    Cheers


    Chill.

    *26 x 26 x 10 = 6760
    6760 ^ 8 = 4,360,874,289,942,887,405,977,600,000,000 possible combinations
     
  2. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    Very nice ideas.
    I'll copy this to new features.


    EDIT: I can't find how to copy it.. And maybe it is not good to repeat posts. I'll keep it here.
     
  3. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Chill:,
    Not alone at all an excellent idea, (I disagree with your math though ;) )

    Until it's there here's a little snippit that will give a quick audit of blank or identical passwords, (I guess we had the same Idea.)

    Code:
    /usr/bin/mysql  -h 127.0.0.1 -u root -peLaStIx.2oo7  --batch -B -N -D asterisk -e  "select id,data  from sip 
    where keyword = 'secret' AND (id = data  OR data = '')"
    
    or just:
    
    /usr/bin/mysql  -h 127.0.0.1 -u root -peLaStIx.2oo7  --batch -B -N -D asterisk -e  "select id,data  from sip 
    where keyword = 'secret' "
    
    Just to  list them
    
    
    The fact the script runs exposes another possible security alert, the root sql password should also be changed on first run. Particularly for those who put the box in the DMZ
     
  4. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    Not specifically, as root can only be logged in as from localhost.
    mysql -h 127.0.0.1 -u root -peLaStIx.2oo7
    use mysql;
    select host, user from user;

    You'll see it says "localhost" beside all the defaults.

    Same for the AMI, there's no real point in changing defaults. Basically the connection has to come from 'localhost' for it to be an issue, so provided they've got a semi-decent root pwd, then we should be OK.

    Perhaps root pwd should also have the same thing that Slackware does which alerts people "Hey you've used a bad root pwd, enter it a 3rd time if you're *really* sure you wanna do that, or pick something longer / stronger". Im not too sure what that app is called though ..
     
  5. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    Dicko:

    ERROR at line 1: Unknown command '\ '.

    Chilling_Silence:

    Also, how about forcing user to change ALL DEFAULT passwords (including Call Center, Extras, etc...)?
    Maybe the script should generate and populate new SIP passwords for all extension with about 10-15 digits. I think any SIP phone nowadays supports that length of a password.
     
  6. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    Thats not a bad idea, but Im not sure that theres a requirement to change the default passwords for many things, such as AMI etc, as the software auto-drops connections for that user if its not connection from the right IP / range.

    I like the idea of it pre-populating a random new SIP password very much! Brilliant idea!!

    How is my math off?
    Also, drop the preceding "/" off the lines that start with mysql in Dicko's post :)
     
  7. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    torontob:

    Put it all in the same line and remove the '\' at the end of first line.

    About the password changes, I think forcing is not good. Letting you chose is much better.
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    torontob:
    fixed, stupid software added a space after the linebreak character \


    Chilling_Silence:
    agreed. Doesn't do any harm as totontob says to just change them just in case though. (belt and braces so to speak)
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Something to review, it is to reset bad passwords and tell you what they are set to

    Code:
    #!/bin/bash
    for stupid in `/usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 --batch -B -N -D asterisk -e "SELECT id FROM sip WHERE keyword = 'secret' AND (id = data OR
    data = '')"` ;
    do
    
    echo -n "Extension $stupid has a bad password, "
    #Generate a random string long enought that we can , replace the bad stuff with blanks,
    #and trim out anything that is not alpanumerical, then choose the first 8 characters
    tt=`dd if=/dev/urandom count=200 bs=1 2>/dev/null | tr "[:cntrl:]" " " | tr "\177-\377" " " | sed 's/[^a-zA-Z0-9]//g' | cut -c-8`
    echo "and will be reset to $tt"
    #uncomment next line to let it happen
    #/usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 --batch -B -N -D asterisk -e "UPDATE sip SET data='$tt' WHERE  keyword = 'secret' AND id = '$stupid'"
    
    done
    /usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 -D asterisk -e "SELECT id,data FROM sip WHERE keyword = 'secret' "
    
    
    watch out for the stupid line breaks again. We could easily expand it to modify the /tftboot/.cfg files as well of course, also what is defined as a bad bassword. Or make it interactive [subset of upper/lower/digit is surely 26+26+10=62 raised to the eighth power?]
     
  10. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    Ah thats where I went wrong, I did 26*26*10 ^ 8 ... it should be 26+26+10 ^ 8 = 100,000,052 different combinations.
    Even making them the extra few chars long and having them 10 = 141,167,095,653,412 combinations. Much more like it!
     
  11. torontob

    Joined:
    May 18, 2008
    Messages:
    219
    Likes Received:
    0
    ramoncio:

    You are right; forcing is not favorable. But, how about a SecureME
     

Share This Page