How to best secure Elastix on web server

Discussion in 'General' started by techietype, Dec 5, 2009.

  1. techietype

    Joined:
    Nov 10, 2009
    Messages:
    9
    Likes Received:
    0
    Hi there,

    I recently set up an elastix system running on a web server through VPS.net (they recently started offering a "cloud" elastix server image). It's running very well, but I have some questions regarding security...

    First off, VPS.net offer DotDefender firewall licenses for $15/month. Should we use DotDefender for security? Or would an alternate security/firewall suite be better fit? Or do we not need one?

    Also, being in a hosted environment, what steps should be taken to ensure everything is safe and secure?

    Any feedback and help would be appreciated!

    Thanks!
     
  2. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    Make sure all passwords are strong to start with, and I would recommend installing fail2ban for asterisk (this has work very well for me)and it will email the alerts to you for intrusions.
     
  3. techietype

    Joined:
    Nov 10, 2009
    Messages:
    9
    Likes Received:
    0
    This may sound like a silly question, but where can I find an asterisk version of Fail2ban? It doesn't seem to be listed on their website... Or does it go by what linux distro I'm running (CentOS... also not listed??)
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You could start here:


    http://www.elastix.org/component/option ... ,en/#16852

    The end result is a little broken for Elastix as the monitored httpd log files need changing from error_log to ssl_error_log, and if you want postfix monitoring the monitored log file needs changing from mail.log to maillog, and you need to "turn it on"


    (all in the /etc/fail2ban/fail2ban.conf file)

    as to changing passwords, if you have the ARI installed there is a default login

    admin/password

    that should be changed in

    /var/www/html/recordings/includes/main.conf.php

    and don't forget to change/restrict/disable the admin login in unembedded FreePBX.
     
  5. donbaba

    Joined:
    Dec 6, 2009
    Messages:
    5
    Likes Received:
    0
    I would advise to follow, elastix without tears. it has all the instructions for securing the box.
     
  6. haamed

    Joined:
    Jul 23, 2007
    Messages:
    251
    Likes Received:
    0
    You can buy valid ssl certification for your elastix, but at the first of all dont forget to change all the passwords, specially Freepbx
     
  7. jcardinal

    Joined:
    Jul 13, 2009
    Messages:
    35
    Likes Received:
    0
    It seems most/everyone is saying "change all default passwords", which is what I did. Since then, I've had at least one "yum update" cause some passwords to be reverted to defaults. Are some of the passwords irrelevant since their use is limited to being accessed from localhost? I'm willing to deal with a little extra effort for better security, but when there are so many passwords and so many places to maintain them, it gets pretty hard to remember them all when an update reverts them all to defaults.

    In my notes I made while setting up the box, I have the following passwords listed:
    • Elastix web GUI
    • Unembedded FreePBX
    • MySQL (root)
    • MySQL (asteriskuser)
    • FOP password
    • Asterisk Recording Interface admin
    • SugarCRM admin
    • A2Billing
    • Openfire
    • system root
    • Account(s) with ssh access

    I may have others I've changed too, but these are the ones I remembered to document. Of course, each of these passwords may have one or more places where they are used and thus need to be updated after you change the default.
     
  8. samv

    Joined:
    Jan 22, 2010
    Messages:
    54
    Likes Received:
    0
    Hi Everyone,

    I am using shorewall. Why your guy don't use shorewall. It very easy to setup easy to understand. How you want to protect your system you can make it easy. I also used hosts control to control the IP that I only allow to connect to my system. I also changed default port 443 to 10000. And used port 443 for my Openvpn. I even allow only the IP I want to brows my first page. In asterisk I also create one fake context for International call. When hacker try to make International call from my system. It will fall to fake context. Then the call will end without go anywhere.

    Thanks,

    Sam
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I'm glad it works for you,

    Please use anything that works, it is a network thing not an Elastix thing.
     
  10. ctcconnections

    Joined:
    Aug 12, 2010
    Messages:
    1
    Likes Received:
    0
    ARI does not read passwords from main.conf.php file anymore, but from /etc/amportal.conf.

    To resolve the ARI default password warning, use the steps below to fix this issue. Add the lines below if they are not present in the file amportal.conf and don't forget to change the password field to a unique password.


    Check your /etc/amportal.conf for these lines:

    # This is the default admin name used to allow an administrator to login to ARI bypassing all security.
    # Change this to whatever you want, don't forget to change the ARI_ADMIN_PASSWORD as well
    ARI_ADMIN_USERNAME=admin

    # This is the default admin password to allow an administrator to login to ARI bypassing all security.
    # Change this to a secure password.
    ARI_ADMIN_PASSWORD=ari_password
     

Share This Page