Helping the new user make Elastix more secure

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#1
This is a potential feature request, one that'd be great in 1.5 I think ;)

Basically, I know that most people when they start out create an Ext of 700 (For example) and a password that is the same as the Ext.
Why? Its easy to remember!

However, its also highly insecure, and possibly one of the worst things you can do if you're opening your box up to the outside world.

So, two features:
1) When logging in as Admin for the first time, you're prompted to change the default Admin password to a more secure one, similar to the way DD-WRT Firmware does when you first flash it to your router
Why? Admin is one of the 3 most common Usernames for a WebGUI (Admin, root, Administrator) and so if you have a default password and you open your box up to the world, then chances of surviving are much less than if you're asked to change it.

2) When creating Ext's, have it check the Secret as it is entered. If its <5 chars, or the same as the Ext, it should flash up with a big X beside it and a short message saying "Secret insecure, click here to find out more". There could also potentially be a 'generate' button beside it which populates the Secret field with a password thats 8-chars long* and a mix of random letters & numbers.
Why? More secure end-points :)

Anybody else think it would potentially be a good idea? Or am I alone on this one?

Cheers


Chill.

*26 x 26 x 10 = 6760
6760 ^ 8 = 4,360,874,289,942,887,405,977,600,000,000 possible combinations
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#2
Very nice ideas.
I'll copy this to new features.


EDIT: I can't find how to copy it.. And maybe it is not good to repeat posts. I'll keep it here.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#3
Chill:,
Not alone at all an excellent idea, (I disagree with your math though ;) )

Until it's there here's a little snippit that will give a quick audit of blank or identical passwords, (I guess we had the same Idea.)

Code:
/usr/bin/mysql  -h 127.0.0.1 -u root -peLaStIx.2oo7  --batch -B -N -D asterisk -e  "select id,data  from sip 
where keyword = 'secret' AND (id = data  OR data = '')"

or just:

/usr/bin/mysql  -h 127.0.0.1 -u root -peLaStIx.2oo7  --batch -B -N -D asterisk -e  "select id,data  from sip 
where keyword = 'secret' "

Just to  list them
The fact the script runs exposes another possible security alert, the root sql password should also be changed on first run. Particularly for those who put the box in the DMZ
 

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#4
Not specifically, as root can only be logged in as from localhost.
mysql -h 127.0.0.1 -u root -peLaStIx.2oo7
use mysql;
select host, user from user;

You'll see it says "localhost" beside all the defaults.

Same for the AMI, there's no real point in changing defaults. Basically the connection has to come from 'localhost' for it to be an issue, so provided they've got a semi-decent root pwd, then we should be OK.

Perhaps root pwd should also have the same thing that Slackware does which alerts people "Hey you've used a bad root pwd, enter it a 3rd time if you're *really* sure you wanna do that, or pick something longer / stronger". Im not too sure what that app is called though ..
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#5
Dicko:

ERROR at line 1: Unknown command '\ '.

Chilling_Silence:

Also, how about forcing user to change ALL DEFAULT passwords (including Call Center, Extras, etc...)?
Maybe the script should generate and populate new SIP passwords for all extension with about 10-15 digits. I think any SIP phone nowadays supports that length of a password.
 

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#6
Thats not a bad idea, but Im not sure that theres a requirement to change the default passwords for many things, such as AMI etc, as the software auto-drops connections for that user if its not connection from the right IP / range.

I like the idea of it pre-populating a random new SIP password very much! Brilliant idea!!

How is my math off?
Also, drop the preceding "/" off the lines that start with mysql in Dicko's post :)
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#7
torontob:

Put it all in the same line and remove the '\' at the end of first line.

About the password changes, I think forcing is not good. Letting you chose is much better.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#8
torontob:
fixed, stupid software added a space after the linebreak character \


Chilling_Silence:
agreed. Doesn't do any harm as totontob says to just change them just in case though. (belt and braces so to speak)
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#9
Something to review, it is to reset bad passwords and tell you what they are set to

Code:
#!/bin/bash
for stupid in `/usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 --batch -B -N -D asterisk -e "SELECT id FROM sip WHERE keyword = 'secret' AND (id = data OR
data = '')"` ;
do

echo -n "Extension $stupid has a bad password, "
#Generate a random string long enought that we can , replace the bad stuff with blanks,
#and trim out anything that is not alpanumerical, then choose the first 8 characters
tt=`dd if=/dev/urandom count=200 bs=1 2>/dev/null | tr "[:cntrl:]" " " | tr "\177-\377" " " | sed 's/[^a-zA-Z0-9]//g' | cut -c-8`
echo "and will be reset to $tt"
#uncomment next line to let it happen
#/usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 --batch -B -N -D asterisk -e "UPDATE sip SET data='$tt' WHERE  keyword = 'secret' AND id = '$stupid'"

done
/usr/bin/mysql -h 127.0.0.1 -u root -peLaStIx.2oo7 -D asterisk -e "SELECT id,data FROM sip WHERE keyword = 'secret' "
watch out for the stupid line breaks again. We could easily expand it to modify the /tftboot/.cfg files as well of course, also what is defined as a bad bassword. Or make it interactive [subset of upper/lower/digit is surely 26+26+10=62 raised to the eighth power?]
 

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#10
Ah thats where I went wrong, I did 26*26*10 ^ 8 ... it should be 26+26+10 ^ 8 = 100,000,052 different combinations.
Even making them the extra few chars long and having them 10 = 141,167,095,653,412 combinations. Much more like it!
 

torontob

Joined
May 18, 2008
Messages
219
Likes
0
Points
0
#11
ramoncio:

You are right; forcing is not favorable. But, how about a SecureME
 

Members online

No members online now.

Forum statistics

Threads
30,952
Messages
130,980
Members
17,654
Latest member
janko67
Top