How to best secure Elastix on web server

techietype

Joined
Nov 10, 2009
Messages
9
Likes
0
Points
0
#1
Hi there,

I recently set up an elastix system running on a web server through VPS.net (they recently started offering a "cloud" elastix server image). It's running very well, but I have some questions regarding security...

First off, VPS.net offer DotDefender firewall licenses for $15/month. Should we use DotDefender for security? Or would an alternate security/firewall suite be better fit? Or do we not need one?

Also, being in a hosted environment, what steps should be taken to ensure everything is safe and secure?

Any feedback and help would be appreciated!

Thanks!
 

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#2
Make sure all passwords are strong to start with, and I would recommend installing fail2ban for asterisk (this has work very well for me)and it will email the alerts to you for intrusions.
 

techietype

Joined
Nov 10, 2009
Messages
9
Likes
0
Points
0
#3
This may sound like a silly question, but where can I find an asterisk version of Fail2ban? It doesn't seem to be listed on their website... Or does it go by what linux distro I'm running (CentOS... also not listed??)
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#4
You could start here:


http://www.elastix.org/component/option ... ,en/#16852

The end result is a little broken for Elastix as the monitored httpd log files need changing from error_log to ssl_error_log, and if you want postfix monitoring the monitored log file needs changing from mail.log to maillog, and you need to "turn it on"


(all in the /etc/fail2ban/fail2ban.conf file)

as to changing passwords, if you have the ARI installed there is a default login

admin/password

that should be changed in

/var/www/html/recordings/includes/main.conf.php

and don't forget to change/restrict/disable the admin login in unembedded FreePBX.
 

donbaba

Joined
Dec 6, 2009
Messages
5
Likes
0
Points
0
#5
I would advise to follow, elastix without tears. it has all the instructions for securing the box.
 

haamed

Joined
Jul 23, 2007
Messages
251
Likes
0
Points
0
#6
You can buy valid ssl certification for your elastix, but at the first of all dont forget to change all the passwords, specially Freepbx
 

jcardinal

Joined
Jul 13, 2009
Messages
35
Likes
0
Points
6
#7
It seems most/everyone is saying "change all default passwords", which is what I did. Since then, I've had at least one "yum update" cause some passwords to be reverted to defaults. Are some of the passwords irrelevant since their use is limited to being accessed from localhost? I'm willing to deal with a little extra effort for better security, but when there are so many passwords and so many places to maintain them, it gets pretty hard to remember them all when an update reverts them all to defaults.

In my notes I made while setting up the box, I have the following passwords listed:
  • Elastix web GUI
  • Unembedded FreePBX
  • MySQL (root)
  • MySQL (asteriskuser)
  • FOP password
  • Asterisk Recording Interface admin
  • SugarCRM admin
  • A2Billing
  • Openfire
  • system root
  • Account(s) with ssh access

I may have others I've changed too, but these are the ones I remembered to document. Of course, each of these passwords may have one or more places where they are used and thus need to be updated after you change the default.
 

samv

Joined
Jan 22, 2010
Messages
54
Likes
0
Points
6
#8
Hi Everyone,

I am using shorewall. Why your guy don't use shorewall. It very easy to setup easy to understand. How you want to protect your system you can make it easy. I also used hosts control to control the IP that I only allow to connect to my system. I also changed default port 443 to 10000. And used port 443 for my Openvpn. I even allow only the IP I want to brows my first page. In asterisk I also create one fake context for International call. When hacker try to make International call from my system. It will fall to fake context. Then the call will end without go anywhere.

Thanks,

Sam
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#9
I'm glad it works for you,

Please use anything that works, it is a network thing not an Elastix thing.
 

ctcconnections

Joined
Aug 12, 2010
Messages
1
Likes
0
Points
0
#10
ARI does not read passwords from main.conf.php file anymore, but from /etc/amportal.conf.

To resolve the ARI default password warning, use the steps below to fix this issue. Add the lines below if they are not present in the file amportal.conf and don't forget to change the password field to a unique password.


Check your /etc/amportal.conf for these lines:

# This is the default admin name used to allow an administrator to login to ARI bypassing all security.
# Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well
ARI_ADMIN_USERNAME=admin

# This is the default admin password to allow an administrator to login to ARI bypassing all security.
# Change this to a secure password.
ARI_ADMIN_PASSWORD=ari_password
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,900
Messages
130,884
Members
17,561
Latest member
marouen
Top