Secure Protect Trixbox 2.4 for direct mount on internet

Posted byProsoxi.com Webmaster Leave a comment on Secure Protect Trixbox 2.4 for direct mount on internet

Here is a small guide to secure your trixbox to put on the internet… And make it reasonably secure! There are so many default passwords and ports to change! This is a list of the most important ones! Everything in RED is something you should come up with 🙂

To avoid unencrypted http-traffic to your server:

Change line "Listen 80" to "#Listen 80" in file "/etc/httpd/conf/httpd.conf"

Move the default port of the https-server (to a secret location):

Change line "Listen 443" to "Listen 12444" in file "/etc/httpd/conf.d/ssl.conf"

and Change line "<VirtualHost _default_:443>" to "<VirtualHost _default_:12444>"

Move the default port of the Panel (to a secret location):

Change line ";listen_port=4445" to "listen_port=12555" in file "/var/www/html/panel/op_server.cfg"

Move the default port of the SSH-server and do not allow root-login via SSH (to a secret location):

Change line "#Port 22" to "Port 12666" in file "/etc/ssh/sshd_config"

Change line "#PermitRootLogin yes" to "PermitRootLogin no" in file "/etc/ssh/sshd_config"

Change your root-password

passwd

You will now be prompted twice for your new rootpassword

Add a standard-user for ssh login(from wich you can SU to root if you need it):

adduser secretusername
passwd secretusername

You will now be prompted twice for the secretuserpassword

Change the MySQL-password

mysqladmin -u asteriskuser -p password secretmysqlpassword

when prompted for password enter "amp109" wich is the default trixbox mysql password

Modify line "AMPDBPASS" in file "/etc/amportal.conf" (the line that is uncommented in the buttom if there is more than one)

Modify line "password" in file "/etc/asterisk/cdr_mysql.conf"

Modify line "dbpass" in file "/etc/asterisk/res_mysql.conf"

Setting up a firewall to protect trixbox from incoming traffic other than SIP, SSH, WEB and FOP:

After changing your outside IP-number from 111.222.111.222 in this script, just paste it at the commandline.

IPTABLES=/sbin/iptables
$IPTABLES -F
$IPTABLES -F INPUT; $IPTABLES -P INPUT ACCEPT; $IPTABLES -Z INPUT
$IPTABLES -F FORWARD; $IPTABLES -P FORWARD ACCEPT; $IPTABLES -Z FORWARD
$IPTABLES -F OUTPUT; $IPTABLES -P OUTPUT ACCEPT; $IPTABLES -Z OUTPUT
$IPTABLES -X
$IPTABLES -N ALEX-INPUT;
$IPTABLES -N REJECT-PKT;
$IPTABLES -N SYN-FLOOD;
$IPTABLES -A INPUT -j ALEX-INPUT
$IPTABLES -A ALEX-INPUT -i lo -j ACCEPT
$IPTABLES -A ALEX-INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A ALEX-INPUT -d 127.0.0.0/8 -j DROP
$IPTABLES -A ALEX-INPUT -s 111.222.111.222 -j DROP
$IPTABLES -A ALEX-INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A ALEX-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A ALEX-INPUT -p icmp -m icmp --icmp-type ping -j ACCEPT
$IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12444 -j ACCEPT
$IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12555 -j ACCEPT
$IPTABLES -A ALEX-INPUT -p tcp -m tcp --dport 12666 -j ACCEPT
$IPTABLES -A ALEX-INPUT -p udp -m udp --dport 5060 -j ACCEPT
$IPTABLES -A ALEX-INPUT -p udp -m udp --dport 5061 -j ACCEPT
$IPTABLES -A ALEX-INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
$IPTABLES -A ALEX-INPUT -j REJECT-PKT
$IPTABLES -A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A REJECT-PKT -p icmp -m icmp --icmp-type ping -j REJECT --reject-with icmp-host-unreachable

Save the iptables with this command:

service iptables save

If you use other protocols than SIP you should insert the ports of those too!

Make iptables startup at boottime:

ln -s /etc/init.d/iptables /etc/rc3.d/S20iptables

Change the maint-password:

Run the command: "passwd-maint"

Enter yourmaintpassword twice

Change the Flash operator panel password:

Change "FOPPASSWORD=passw0rd" to "FOPPASSWORD=yoursecretfoppassword" in file "/etc/amportal.conf"

Change the ari password for admin user on recordings page:

Change line $ARI_ADMIN_PASSWORD ="ari_password" $ARI_ADMIN_PASSWORD ="youraripassword" to in file "/var/www/html/recordings/includes/main.conf.php"

Change the amp-manager password:

Change the line "AMPMGRPASS=amp111" to "AMPMGRPASS=youramppassword" in file /etc/amportal.conf

Change the line "secret = amp111" to "secret = youramppassword" in file "/etc/asterisk/manager.conf"

How to access your trixbox afterwards

User page: https://111.222.111.222:12444/user/

Maintanance page: https://111.222.111.222:12444/maint/ (user=maint, pass=yourmaintpassword)

FreePBX page: https://111.222.111.222:12444/admin/ (user=maint, pass=yourmaintpassword)

Recordings page: https://111.222.111.222:12444/recordings/ (user=admin, pass=youraripassword)

SSH access: login with secretusername and secretuserpassword then write the command "su -" and enter your rootpassword

NOW – REBOOT THE SYSTEM!

http://offline.dk/andet/voip/harden.html

Leave a comment