I just want to share my procedure for securing trixbox for the internet... There are so many default passwords and ports to change. I think I got the most important ones in this description:
http://offline.dk/andet/voip/harden.html
Comments are welcome.
Best regards,
Alex
Keywords: PORTS DEFAULT PASSWORD AMP109 AMP111 HTTPS LISTEN MYSQL FIREWALL MAINT ARI_ADMIN_PASSWORD SSH SECURE SECURING HARDENING IPTABLES UNSAFE HACKER
looks good I am still reading but maybe you should add this to the wiki...
I see no reason why this couldn't be automated, either. Once again, if I have some time I might look at making a script to do this. Safely.
We are looking for a script or module to hardening up security. I will follow this thread and see if everyone comes up with something we should include in the distro.
What I'm working on will just change the default passwords associated with mysql and freepbx. So as not to duplicate effort I will not include the root password or the functionality included in passwd-maint. Specifically, what I'm shooting for changing is:
mysql root password
mysql asteriskuser password
manager port password(s)
fop password
I'm also going to try to include command line options that will allow you to specify which passwords you want to change, with the default walking you through changing everything.
I'm also not going to attempt the firewall thing, as that's way too dependent on local factors.
Help would be appreciated with this. I need to compile a list of all the places things need to change.
There's a lot of stuff in /etc/amportal.conf:
AMPMGRUSER=admin
AMPMGRPASS=amp111
FOPPASSWD=passw0rd
AMPDBUSER=asteriskuser
AMPDBPASS=amp109
/etc/asterisk/cbmysql.conf:
password=passw0rd
/etc/asterisk/cdr_mysql.conf:
password = amp109
/etc/asterisk/res_mysql.conf:
dbpass = amp109
/etc/asterisk/manager.conf:
secret = amp111
/var/www/html/admin/functions.inc.php:
'AMPDBUSER' => array('std' , 'asteriskuser'),
'AMPDBPASS' => array('std' , 'amp109'),
'AMPMGRUSER' => array('std' , 'admin'),
'AMPMGRPASS' => array('std' , 'amp111'),
'FOPPASSWORD' => array('std' , 'passw0rd'),
Please let me know if you know of other places that the passwords need to change. I am looking elsewhere too, but don't be afraid to post in here.
I am adding http://offline.dk/andet/voip/harden.html under external links in the wiki, is this document in a decided location or will it move...
I am happy to hear that I am not the only one concerned about the default security of trixbox.
James - it's ok that you link to that... I will leave it there ;)
I hope the next release is more secure by default :)
Best regards,
Alex
Just wanted to give an update: I haven't had as much time to work on this as I wanted to, but I have made some progress. I've written a subroutine to change the mysql passwords. I know that's not much, but trust me when I tell you it it was all I could get done today.
This could probably be 3 lines long, but since I can't install perl modules (I want it to work out of the box on a clean trixbox install) I have to jump through some hoops.
I could still use some help making sure I've gotten all the locations that the passwords need to change, so please: speak up if you notice any missing from what I posted above.
But I have a question. Is it really necessary to move the ports to another set of ports? And if they are moved, can I find easily them again with a port scanner? Since 443 is used for encrypted traffic, and if people do not know the passwords, is there any risk in have https run on that port?
The basic answer to this is:
Yes, you should move them. Typical hacker scripts look for common ports responding in a valid manner. Port scans are not fast and scripts are designed to cover a lot of territory as fast as possible to find vulnerable machines. The very fact that you have moved the ports away from the standards indicates you are aware and actively persuing security. Hackers want EASY boxes with ignorant admin (no I am not calling anyone stupid - ignorance is a lack of knowledge, not an inability to learn :) ).
Moving ports, even ones like 443, stop most scripts from even trying further. If the box answers up on the standard port, then the script will start trying various known exploits, password scans etc.
Few hackers out there are scanning for response on 80 and 443, because web servers are usually pretty well plugged up. But a box that responds on a port like 22? SSH can readly give full system access and control if it can be exploited... Well worth looking into further for a hacker.
Greg Keys
You're certainly not wrong, Greg, but I just wanted to present a different viewpoint: smart port scanning software can look for signatures. For example, if you're running httpd on port 1337, then the scanner can tell that and will log it appropriately. What this means is that without further precautions, simply moving the ports isn't going to help that much.
One thing you can do that's pretty simple and effective is to simply (without moving the ports) drop all traffic to the machine and allow only known clients to connect to known ports. It's certainly more work, but it's worth it in the long run. Doing this has two benefits: 1) it makes the machine effectively invisible to most port scans and 2) it doesn't break inflexible client side software or hardware.
If you don't mind or can work around broken client side stuff, you can certainly combine moved ports with dropped packets.
Moving ports can also become a support headache, for what I hope are obvious reasons because I don't want to type them out. :)
I did not intend to imply that just moving ports was a cureall :)
It is just the first step, and, as you state there are ways to secure the box without moving ports. While a good port scanner will find the services eventually, it is time consuming, and the very act of hunting ports in that manner is easy to detect and block by a good firewall. From a hackers point of view, if they are not targeting a specific box, a quick check and move on is SOP.
There are some pretty good shortcuts that can be implemented too....
My boxes all are set to accept SSH from only one address, and one only. Easy to implement, and pretty bulletproof. I spend my security time hardening that box, and use it to relay into my other boxes. Gives me just one set of logs to keep a real close eye on also.
Security is the ultimate juggling act, trying to balance usability against protection. It is a competition you can NEVER win. A hacker breaks into you box and he wins. You prevent a breakin and you have only performed a holding action............
Greg Keys
I would not switch the ports for 80 & 443, but rather I would use virtualhosts in apache. I set up a default web directory that has nothing in it but a blank index page. Then I setup a virtual host that only responds to a specific host name.
That way if anyone tries to get to the site via IP address they simply get a blank page, but if they use the configured host name they will get the proper admin pages.
Then, for extra credit to be really secure, I make the name something ridiculous like banana-nutbread. Then in the host file on my laptop is set banana-nutbread to the server's IP. That way, no matter where I am, my laptop (and only my laptop) will be able to get to the admin pages.
Typically I would use iptables to only allow traffic on ports like the ones used for iax, sip and rtp, and of course also ssh, and then use ssh tunnels to access the rest of services.
Then it's just a matter of following some "ssh best practices", basically allowing access only to users that really need it, and applying a good password policy.
I will try to build a nice iptables script for my new trixbox lab machine
David
Does this work with dual nic's as well? I have a server setup like this:
Internet->switch->trixbox->ip phones
Internet->switch->firewall PC's.
These are both on the same network. I want to make sure that I do not kill anything on the internal side of the system.
Good stuff, got me thinking.
To date I have never exposed a Trixbox to the Internet. I place the TRIX in the production network then Portmap SIP and RTP. I also use an access list to limit external access to only trusted users.
This policy implies that everyone on the inside network is trusted. It also allows me to be very lazy on endpoint management.
Scott
Scott
aka "Skyking"
I have a question,,, In your guide aboust trixbox 2.4 you are written something about outside ip-number... What is the outside ip-number,,, is it the internett-ip or routher-ip or the trixbox-server, or my windows-computer? I have tried all, but still can't logg into the trixbox from my windows-computer. Mayby you can tell me a little more what you mean? PS! I can't anylonger ping the trixbox-server,,,
Lars
Following the description by Alex Jensen I am trying to secure my Trixbox. But after I change the ports I realised that I can not open the System > Network and Asterisk > CDR Reports in my browser . Can some one give me some help?
is there a way to make it so you can only login to my trixbox server using the correct domain name (ie voip.mydomain.com) and ignore anything that uses the IP address
Kodak did you ever get a script up and running??
I tried what is suggested on http://offline.dk/andet/voip/harden.html but now I am not able to access webmin through https://111.222.111.222:10000 any advice? Everything else works perfect. Is this some conf I am missing in Webmin to change the updated SSL port, if so any help will be appreciated.
Member Since:
2008-01-28