Sunday, May 27, 2012

The FreePBX and Asterisk Basic Security Checklist


Past few days I’ve been thinking about the stuff our students were asking during our FreePBX training course. One of the main thing that they were talking about is security and how “bad” Asterisk’s reputation has been with security in the past. I must agree with them. There’s enough worrying cases of poor implementations, deployments and management since Asterisk took center stage some years back giving run for big IP telephony players. AND, we also must say that we’ve had our share of scares and have come a long way since, thanks to mistakes done in the past. The whole security scene with Asterisk (or any products out there) will continue to be a living, growing and evolving problem, no doubt!.
While it is quite easy to “blame it on the people who deploy for not securing it”, I feel its some what also every single Asterisk/FreePBX folks' responsibility as subject matter experts and consultants on Asterisk to keep up the good name of the product and continue helping the community get stronger by helping each other as much as possible.
With that, we advise all those who deploy solutions for their customers, to take into serious consideration some sort of security best practices, starting with those highlighted by Digium here and do keep track of the Asterisk security Advisories here. While there are many other things you need to be aware of and not just Asterisk/FreePBX security, it’s definitely THE STARTING POINT TO LOOK AT.
Anyway:
Here’s a small list of things (a checklist if you may) that you could consider for each deployment out there. These are especially important when you put your server out on the internet (public facing). I would like to highlight, these are merely suggestions and not an ultimatum but I know sure as anything, they do help.

A little bit of something is better than a whole lot of nothing.


Anyway, we would like to present the following things you should implement when you deploy an Asterisk/FreePBX solution. We figured it would make sense to couple it together with FreePBX since it’s probably the most deployed front end.

The 10 security things you should consider after an Asterisk/FreePBX installation

1) Do not open it up to the internet (unless you absolutely need to)

Even for the sake of testing, implement VPNs and firewalling based on source IP addresses to start with. Unless it’s a business requirement, only then put it up on the Internet by following this guide here and lots of esteemed writers out there and their guides too. Firewalling is a must, open only ports you want to be used over the internet. Management ports and protocols such as HTTP/SSH should be disabled from the internet and must have complex credentials.

2) Update everything

A new install should be updated with everything, operating system, FreePBX and Asterisk version. Update does not mean use new versions but the updated version of what version you prefer. Most OS distros like CentOS and Debian, have very easy ways to manage and get updates.

3) Do not use default FreePBX password, use database for authentication

Manual installations of FreePBX may have/use default passwords. Follow these guides to change them.
a) AMI Password
b) MySQL password
c) ARI password (edit amportal.conf or advance settings module)
d) FOP password (edit amportal.conf or advance settings module)
e) Change authtype to database (edit amportal.conf or advance settings module)

3) Create new-anything with complex passwords

Absolutely never create easy to guess extensions, trunks and DISA, etc passwords. The passwords acceptable includes all types of characters and combination. Use them. Here’s a good place to learn about complex passwords. Use the FreePBX Weak Password Detection module to help audit your passwords

4) Limit your extension registration source IP

For all extensions that are not public facing, define that those extensions are only accessible via your internal network. This ACL type limitation can be done at both extensions and trunk levels. On extensions, you have something called the “deny” and “permit” and “host” definition in your trunk settings

5) Use fail2ban, application firewall

Fail2ban will help with some of those scanners out there. If anyone tries to get into your system without providing correct credentials for n number of times, their IP will be banned for as long as you please (using iptables). Here’s how to get fail2ban to work with Asterisk. While many say this is the silver bullet, I strongly disagree, its not, but it sure it a first grand step. I am starting to like BFD nowadays (http://www.rfxn.com/projects/brute-force-detection/) because it is a little more flexible with the rules using simple bash commands to get info and how to ban stuff as opposed to fail2ban which only allows regex

6) Obfuscation

I know, many will say, this is not security, true. It’s not security but it helps. Most people attack Asterisk systems because they know its Asterisk. So, lets try to throw them off course a little shall we?
How? Well, here’s what I suggest to do first (Change/add the fields below in sip.conf or in FreePBX use the SIP Settings module right at the bottom where it says “other sip settings”)
a) useragent=<somethingweird> like useragent=SIPSERVE
b) Change the realm, e.g. realm=sipserve
c) Set alwaysauthreject=yes (here’s why)
d) Using a front firewall, block off IAX2 (4569), AMI (5038) and probably MySQL (3306). All those can give away easily you’re using Asterisk
Remember the above are mostly only to thwart off scripts that look for Asterisk servers in particular.

7) It’s a PBX, let it be a PBX, not a file server, or etc. Reduce surface attacks.

I think the subject matter above speaks for itself. Like your Cisco switch, its meant to be a switch, you don’t put a file server on there do you? So, the Asterisk box is a PBX, don’t put other crap in there.
If there’s a FreePBX module you don’t need, disable or remove it.
If there’s a protocol you don’t need (e.g. IAX2, H323) disable it too.

8) Use custom contexts and/or some neat restrictions in FreePBX 2.10

a) When using FreePBX 2.10, you can set max calls per extension. Set that to one!. There’s really no reason why one extension is firing 10 calls at the same time. They don’t even have phones with that many lines do they?.
b) Use time restrictions for external calls. For example, if your office only works till 8pm at most and starts at 8am, restrict calling out during these times only.
c)Now custom contexts can be used to limit down where an extension can call, e.g. 1000 can only call local numbers. I am sure you will have more people with restrictions then those unrestricted. So if at all an extension is compromised, probability of them hitting a restrictive extension and that may help you reduce the damage.
d) Also, use uncommon dialout prefixes, e.g. #9 to dial out. When an extension gets compromised, the attacker also must learn how you dial out. If there’s no prefixes in their call, then the call will fail. They can’t figure out the dialplan with just a compromised extension!
e) Limit the max amount of calls per trunk level at one time

9) Send commonly compromised numbers/countries to a blackhole

You should create an outbound route right above all that will hit to a fake trunk (create a ZAP/DAHDI trunk and use is as g100). Put all commonly exploited numbers/uncommonly dialed numbers in there. Remember, its like a firewall, close as much down as possible then open as the need arises

10) Turn on as much logging as possible, backup backup

With Asterisk 1.8 there’s a “security” only logging you can switch on but in the lower versions of Asterisk, you should always keep your full log on and flush them periodically if you want. Also, log all CDR calls. Logging helps you look for “odd” stuff for auditing purposes.
Backup your stuff and restore them in case someone gets admin access to your system and changes everything, a restore can quickly bring order back. And of course, backup for the sake of recovering in case sh1t happens, you know Smile

Wednesday, May 16, 2012

Limiting all or just outbound calls time using FreePBX

I found this link that explained how to set maximum time for ALL calls or just OUTBOUND calls using FreePBX.

Thanks to this link/user: http://www.trixbox.org/forums/trixbox-forums/help/how-do-i-limit-call-length-or-call-duration/eihoward

Go to FreePBX General Setting.

You will find two Dialing Options:

To set limits on ALL calls, modify the “Asterisk Dial…” box, to set time limit for Outbound calls, modify the “Asterisk Outbound Dial…”

Here in my server/example, I am setting limit to 4 hours max and 3.9 hours to warning message before hanging up a call (forcefully).

The values are

L(14400000:14040000)

Where L denotes the function Limit and the first value is for the max time and the second is the warning time in milliseconds (1 sec=1000 ms)

image

In the case above, I am only wishing to limit Outbound calls to 4 hours MAX.

Tuesday, May 1, 2012

Asterisk 10’s Confbridge– Extend your existing PBX to support multiparty video and audio conferences with Asterisk10+FreePBX 2.10


I saw an update today on FreePBX 2.10 page that included an online fix to support the new Asterisk 10 conference bridge module called ConfBridge. Previously, all FreePBX past versions, it had always use the meetme conferencing application on Asterisk, which had some limitations as time and need changes. With this new and improved conferencing app on Asterisk 10, has once again, create new fun things to do with Asterisk. Now with the direct support of Asterisk 10 ConfBridge on FreePBX 2.10, you can easily select which conferencing app to use (in this case would be selecting from meetme to confbridge) using FreePBX advance settings.
So what’s the fuss with CONFBRIDGE? (from the Asterisk Wiki here)
Asterisk, since its early days, has offered a conferencing application called MeetMe (app_meetme.so). MeetMe provides DAHDI-mixed software-based bridges for multi-party audio conferencing. MeetMe is used by nearly all Asterisk implementations - small office, call center, large office, feature-server, third-party application, etc. It has been extremely successful as an audio bridge.
Over time, several significant limitations of MeetMe have been encountered by its users. Among these are two of distinction: MeetMe requires DAHDI for mixing, and is thus limited to 8kHz (PSTN) audio sampling rates; and MeetMe is delivered in a fairly static form, it does not provide extensive configuration options.To address these limitations, a new conferencing application, based upon the ConfBridge application introduced in Asterisk 1.6.0, is now available with Asterisk 10. This new ConfBridge application replaces the older ConfBridge application. It is not intended to be a direct replacement for MeetMe, it will not provide feature parity with the MeetMe application. Instead, the new ConfBridge application delivers a completely redesigned set of functionality that most users will find more than sufficient, and in many ways better, for their conferencing needs

Some feature list
1) High quality audio (HD voice) - Advanced, high-performance wide and ultra-wideband conferencing application for 8-192kHz clients
2) Video enabled conferencing
3) Lots of in call conference options such as dynamic volume and microphone settings, add callers manually while in conference, lock and unlock conference, etc)
4) Dynamic conferences (you can host any conference number, anytime for anyone)
5) Profile based (each user can have different settings, such as admin permissions, dsp settings such as per user noise cancellations options (e.g. more echo cancellers for softphone users,..etc)
Also new work is done to do time based conferences, strict start and end times etc…

And yes, you can extend your current PBX to support conferencing straight from your existing architecture, as we call it, Asteriskify or Astrification!

Those want to test, here’s how using FreePBX. NOTE: many many new options as shown above may not directly be incorporated in FreePBX 2.10 but from what I learn, 2.11 is going to be written to support lots of these new stuff.
Just sign in to FreePBX, select advanced settings, look for conference room app, pull down and select app_confbridge. Click on the tiny apply button then the big red apply button. Done!
image

Though the FreePBX team claims it to be very much in BETA (test), it worked well when I fired 20 calls on my 512MB virtual machine at the office over a 5MBps unifi line. Of course, I had no one but myself to speak to in that conference :D hehe.
Anyway, once you’ve selected the conference application, you can apply the settings and go to the Conferencing module in FreePBX and start creating new conferences.

image
It is familiar with most users of FreePBX with the old app_meetme found in all FreePBX versions but in this case, since we selected confbridge, it will not use MEETME instead use CONFBRIDGE;
image