Categories

Archives

April 2014
M T W T F S S
« Aug    
 123456
78910111213
14151617181920
21222324252627
282930  
free counters

Advertisement

Go Daddy Deal of the Week: Get a .ME Domain for $6.99! Offer Expires 6/19/12

HowTo: Securing Elastix

This article covers the initial steps in securing the default install of Elastix to make it more secure.  You should complete this work even if your system is not accessible to the Internet.

If it is connected to the Internet, then not doing these basic security changes will leave your system wide open to attack!  You have been warned.

Contents

  1. Changing the default Elastix Admin account password
  2. Changing the default FreePBX account password
  3. Setting strong secrets with Extensions
  4. Securing SIP accounts
  5. Prevention Tools
  6. Elastix default accounts

Changing the default Elastix Admin account password

First of all we need to change the default Elastix administration password.  Connect to your Elastix appliance via the web interface and select System->User Management and then select Users from the left tabs:

Deault user list for Elastix

Default user list for Elastix

Select the ‘admin’ user to update:

Default 'Admin' user details

Default 'Admin' user details

Next click the ‘Edit’ button so you can make changes:

Default details for 'Admin' user

Default details for 'Admin' user

You need to enter a STRONG ‘Password’ and confirm it in the ‘Retype password’ box too.  When I mean strong, you should consider the password to contain:

  • Mixed upper and lower case characters
  • Digits
  • Basic symbols (eg !”£$%^&*()_=+_-<>;:’@#~/? and so on)
  • One or more space characters

While you are there, you could enter a suitable name (ie yours) for this account too in the ‘Name’ box:

New admin details

New admin details

And finally you can click ‘Apply changes’ to alter.  You will need to login again after applying.

As an alternative and more secure method, would be as follows:

  1. Create new account with administration rights with a name that does no infer the purpose of the account.
  2. Set this account with a strong password.
  3. Test the account by logging off with Admin and logging in with your new account
  4. Use the new account to delete the original Admin account.

Note: Don’t loose the admin login details or you will be re-installing the software again!!

Changing the default FreePBX account password

Elastix depends on FreePBX quite a lot, and even provides an interface to the FreePBX console itslef.  This has a default username and password of admin and admin.  We need to start the FreePBX console from within Elastix and change the account details.  Following the instructions here, and enter the default user name of admin and password of admin.

Now that you have entered the FreePBX console, you can chage the admin account default password.  Selected the Admin tab from the top and the Setup tab from the top of the left panel.  Finally choose Administrators to bring up the Administrators controls:

Administrators console

Administrators console

Select the admin user from the list on the right:

Selecting the default admin account

Selecting the default admin account

And the account details will be displayed:

The default admin account

The default admin account

You can now enter a suitably strong new administrator password (as detailed above) and then you can click the  Submit Changes button at the bottom.  You will then need to click the Apply Configuration Changes bar at the top to commit the change:

Commiting the changes in FreePBX

Commiting the changes in FreePBX

You will be asked to confirm the changes:

Confirming the configuration changes

Confirming the configuration changes

Click the Continue with reload to apply.  And the changes will take effect.  You can logout of the FreePBX console via the logout option in the top right of the console:

Logout from FreePBX console

Logout from FreePBX console

As an improved security measure, you could create a new administrator account with the same details, but a new name and a suitably strong password and then delete the original.

Setting strong secrets with Extensions

Extensions are a massive risk to your system.  Not because their accounts allow access to your system directly, but because they can be used to make calls.  Having a weak ‘secret’ for an extension leaves your system wide open to fraudulent calls.  Once an ‘extension’ has made a connection (either a physical VOIP phone or a soft phone), then they can start to make calls with that context.  This is especially important if you open your firewall up to allow the connection of SIP and IAX based phones and trunks.

Any extension, once registered can make calls.  What calls that can be made are dependant on how you have set-up your system.  The best approach is to make sure every extension is as secure as possible and this article will help achieve this goal.

Each extension that connects via the network, either a physical VOIP phone or a soft phone running on a PC, needs a shared ‘secret’ to connect to the Elastix.  This ‘secret’ is entered whenever an extension is created and can be updated at any time within the settings of an extension.

Within the FreePBX part of Elastix, it is possible to configure the ‘Weak Passwords’ module to help identify poor passwords, but as it only performs very basic checks, it is not very helpful.  And you need to enter the FreePBX console to work with it.  So I will ignore this facility for the time being as many users don’t always want to leave Elastix.

Keeping the passwords strong on creation is probably the best way, rather than finding out afterwards.  So create them strong and the first place.

I would suggest, where possible, to use a length of at least 8 characters.  And use mixed upper case, lower case and digits.  All of which are randomly created.  Avoid using actual words, these can be easy to break.  Also avoid taking a standard word and making it stronger.  This will only delay the inevitable.

E.g.

mypassword

being ‘strengthen’:

MyP4$$w0rd

These are easily broken as well.

As the passwords are stored in a text file, then you need to avoid most special characters.  You also need to be mindful of any limitations that the device may have.  Often VOIP phones can only use digits as a secret because they have no method of entering letters or changing case.

If there are limitations, then increase the strength to compensate, but don’t be silly.  Trying to read out a 100 digit password over the phone to a user is not going to win any ‘brownie points’ for yourself.  12 digits/letters kmaximum is probably more than enough.

I have a made a basic password generator available here to help.  This does not pass any information back to me or anywhere else.  It should be strong enough for most PBX extensions.  Set up the type of password (without additional characters), set the length between 8 and 12 characters.  And click ‘Generate Password’.  Copy the result in the extension’s secret in the Elastix console and there you are.

If a user forgets a password, it is probably a good idea to generate a fresh password.  This helps protect your system from ‘lost’ passwords written of bits of paper or in the back of a journal, that get left in a taxi or on a train.

Securing SIP Accounts

SIP Accounts are a major hacking point of Asterisk based systems and Elastix is no exception, especially if you have SIP accounts that are open to the outside world of the Internet.  There are many hacking tools released over the last couple of years that make this an easy task for the Neanderthals out there.

Here are a few useful pointers taken from forums at Elastix and VOIP Tech:

Limit IP Source Addresses

If possible, don’t allow SIP connections from all IP addresses (the default).  Add the “permit=” and “deny=” lines to the “sip_general_custom.conf” file via the Elastix->PBX->Tools->FileEditor.

This is a problem if you have roaming laptop users that will keep changing ISPs and thus source IP address.  In this case you should ensure that other SIP security measures are strong enough.

Preventing SIP Extension Information Leakage

By default, Asterisk can leak back information to help hacking tools target your system and make better use of this information in reducing hacking times.  Since about version 1.2 of Asterisk it is possible to block this information leak.

To prevent this leak in Elastix, add “alwaysauthreject=yes” to the “sip_general_custom.conf” file via the Elastix->PBX->Tools->FileEditor.

Use Strong Passwords for Secrets

Don’t depend on words that are easy for you to remember, they are also easy for hackers to break.  See the article above about strong secrets: Setting strong secrets with Extensions.

Keep the AMI Manager ports blocked to the local sub-net

By default, Elastix has this already configured with “deny=0.0.0.0/0.0.0.0″ and “permit=127.0.0.1/255.255.255.0″ already applied to “manager.conf”, just remember not over-ride this setting in this file, or in “manager_additional.conf” or “manager_custom.conf”.

The password for AMI is pretty weak, I currently do not know how to harden this from the default.

Anonymous inbound SIP calls

Elastix has the ability to accept anonymous inbound SIP calls via trunks.  This setting ‘Allow anonymous inbound SIP calls’ must be set to ‘NO’ at all times.  You may use it to breifly test inbound SIP calls via trunks, just to get the inital processing correct, but remember to restore this setting after testing.

This setting is found here, near the bottom of the page:

PBX->PBX Configuration->Allow anonymous inbound SIP calls

In order to overcome the security imposed by this setting being ‘NO’, see this article: HowTo: Elastix Incoming SIP Trunk Calls.

With the ‘Allow Anonymous’ set to yes, the system will allow ANY call in via this SIP path.  At best it will be annoying.  At worst with DISA, the caller can make free calls via your system!

Example Hack

Here is a YouTube video showing you a training video for an SIP hacking tool ‘SIPAutoHack’.  This shows you just how easy it is to do with the ‘free’ tools being offered.

Prevention Tools

If you have the necessary skills, then you could consider using one or more of the following tools to help defend your system:

  • fail2ban, a log file scanner that perform blocking actions.  An article on using this with Asterisk can be found here.
  • DenyHosts is a very popular port blocker for many *nix distributions and may provide Elastix with additional protection.

I may consider writing articles to help the more novice Elastix administrator implement these utilities if there is some requests.


MORE TO BE ADDED SHORTLY :)


Elastix Default Accounts

Initial entry in the linux command line in VMWARE

Username: root
Password: palosanto

Initial access to the Web interface

Enter in the Web interface:

Username: admin
Password: palosanto

Initial access to third party applications

To use Sugar CRM:

Username: admin
Password: password

To use A2bill:

Username: admin
Password: mypassword

or

Username: root
Password: myroot

Operator Flash Panel (from 0.6 version):

Password: eLaStIx.2oo7

For accessing Freepbx (without being contracted) use:

Username: admin
Password: admin

For accessing vtigerCRM use:

Username: admin
Password: admin

For accessing MySQl directly

Username: root
Password: eLaStIx.2oo7


Important Note: This article is still under construction and I have not covered every security issue with this product installation and it is entirely your responsibility to make your Elastix installation secure.  I can not be held responsible for any area I may have omitted or security hole found in the system.

Return to: Get your first Elastix system running.

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)
HowTo: Securing Elastix, 5.0 out of 5 based on 4 ratings

4 comments to HowTo: Securing Elastix

  • I am not positive where you’re getting your info, but good topic. I needs to spend a while learning much more or working out more. Thanks for excellent info I was in search of this information for my mission.

  • MR T

    Thanks for uploading all this useful information, good job.

  • Justin,

    Sorry for that. It pointed to an article that was scheduled for publication this morning. This has now happened, so the link to this document on SIP Trunks should work. It certainly does for me.

    When I added the cross link, I forgot it was a scheduled post, oops, definitely my fault. I often schedule be most of my articles to ‘published’ early on a Friday morning so I can have a ‘stock’ ready to go. But sometimes I cross reference them before they are published formally. I will try to be more observant in the future.

    Adam.

  • Justin

    Your link for “HowTo: Elastix Incoming SIP Trunk Calls” is dead. I did a search for “incoming” and the article wasn’t found that way either. I’d love to read your advice on setting that up if you have the article and just haven’t published it.

Leave a Reply

  

  

  


(required)

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>