Here is a small guide to secure your trixbox to put on the internet… And make it reasonably secure! There are so many default passwords and ports to change! This is a list of the most important ones! Everything in RED is something you should come up with 🙂
To avoid unencrypted http-traffic to your server:
Change line "Listen 80" to "#Listen 80" in file "/etc/httpd/conf/httpd.conf"
Move the default port of the https-server (to a secret location):
Change line "Listen 443" to "Listen 12444" in file "/etc/httpd/conf.d/ssl.conf"
and Change line "<VirtualHost _default_:443>" to "<VirtualHost _default_:12444>"
Move the default port of the Panel (to a secret location):
Change line ";listen_port=4445" to "listen_port=12555" in file "/var/www/html/panel/op_server.cfg"
Move the default port of the SSH-server and do not allow root-login via SSH (to a secret location):
Change line "#Port 22" to "Port 12666" in file "/etc/ssh/sshd_config"
Change line "#PermitRootLogin yes" to "PermitRootLogin no" in file "/etc/ssh/sshd_config"
Change your root-password
passwd
You will now be prompted twice for your new rootpassword
Add a standard-user for ssh login(from wich you can SU to root if you need it):
adduser secretusername
passwd secretusername
You will now be prompted twice for the secretuserpassword
Change the MySQL-password
mysqladmin -u asteriskuser -p password secretmysqlpassword
when prompted for password enter "amp109" wich is the default trixbox mysql password
Modify line "AMPDBPASS" in file "/etc/amportal.conf" (the line that is uncommented in the buttom if there is more than one)
Modify line "password" in file "/etc/asterisk/cdr_mysql.conf"
Modify line "dbpass" in file "/etc/asterisk/res_mysql.conf"
Setting up a firewall to protect trixbox from incoming traffic other than SIP, SSH, WEB and FOP:
After changing your outside IP-number from 111.222.111.222 in this script, just paste it at the commandline.
IPTABLES=/sbin/iptables $IPTABLES -F $IPTABLES -F INPUT; $IPTABLES -P INPUT ACCEPT; $IPTABLES -Z INPUT $IPTABLES -F FORWARD; $IPTABLES -P FORWARD ACCEPT; $IPTABLES -Z FORWARD $IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT $IPTABLES -X $IPTABLES -N ALEX-INPUT; $IPTABLES -N REJECT-PKT; $IPTABLES -N SYN-FLOOD;
$IPTABLES -A INPUT -j ALEX-INPUT $IPTABLES -A ALEX-INPUT -i lo -j ACCEPT $IPTABLES -A ALEX-INPUT -s 127.0.0.0/8 -j DROP $IPTABLES -A ALEX-INPUT -d 127.0.0.0/8 -j DROP
$IPTABLES -A ALEX-INPUT -s 111.222.111.222 -j DROP
$IPTABLES -A ALEX-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP $IPTABLES -A ALEX-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A ALEX-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
$IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12444 -j ACCEPT $IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12555 -j ACCEPT $IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12666 -j ACCEPT $IPTABLES -A ALEX-INPUT -p udp -m udp --dport 5060 -j ACCEPT $IPTABLES -A ALEX-INPUT -p udp -m udp --dport 5061 -j ACCEPT $IPTABLES -A ALEX-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
$IPTABLES -A ALEX-INPUT -j REJECT-PKT
$IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable
Save the iptables with this command:
service iptables save
If you use other protocols than SIP you should insert the ports of those too!
Make iptables startup at boottime:
ln -s /etc/init.d/iptables /etc/rc3.d/S20iptables
Change the maint-password:
Run the command: "passwd-maint"
Enter yourmaintpassword twice
Change the Flash operator panel password:
Change "FOPPASSWORD=passw0rd" to "FOPPASSWORD=yoursecretfoppassword" in file "/etc/amportal.conf"
Change the ari password for admin user on recordings page:
Change line $ARI_ADMIN_PASSWORD ="ari_password" $ARI_ADMIN_PASSWORD ="youraripassword" to in file "/var/www/html/recordings/includes/main.conf.php"
Change the amp-manager password:
Change the line "AMPMGRPASS=amp111" to "AMPMGRPASS=youramppassword" in file /etc/amportal.conf
Change the line "secret = amp111" to "secret = youramppassword" in file "/etc/asterisk/manager.conf"
How to access your trixbox afterwards
User page: https://111.222.111.222:12444/user/
Maintanance page: https://111.222.111.222:12444/maint/ (user=maint, pass=yourmaintpassword)
FreePBX page: https://111.222.111.222:12444/admin/ (user=maint, pass=yourmaintpassword)
Recordings page: https://111.222.111.222:12444/recordings/ (user=admin, pass=youraripassword)
SSH access: login with secretusername and secretuserpassword then write the command "su -" and enter your rootpassword
NOW – REBOOT THE SYSTEM!