HowTo: Securing Elastix

This article covers the initial steps in securing the default install of Elastix to make it more secure.  You should complete this work even if your system is not accessible to the Internet.

If it is connected to the Internet, then not doing these basic security changes will leave your system wide open to attack!  You have been warned.

Contents

1. Changing the default Elastix Admin account password
2. Changing the default FreePBX account password
3. Setting strong secrets with Extensions
4. Securing SIP accounts
5. Prevention Tools
6. Elastix default accounts

Changing the default Elastix Admin account password

First of all we need to change the default Elastix administration password.  Connect to your Elastix appliance via the web interface and select System->User Management and then select Users from the left tabs:

Select the ‘admin’ user to update:

Next click the ‘Edit’ button so you can make changes:

You need to enter a STRONG ‘Password’ and confirm it in the ‘Retype password’ box too.  When I mean strong, you should consider the password to contain:

• Mixed upper and lower case characters
• Digits
• Basic symbols (eg !”£$%^&*()_=+_-<>;:’@#~/? and so on)
• One or more space characters

While you are there, you could enter a suitable name (ie yours) for this account too in the ‘Name’ box:

And finally you can click ‘Apply changes’ to alter.  You will need to login again after applying.

As an alternative and more secure method, would be as follows:

1. Create new account with administration rights with a name that does no infer the purpose of the account.
2. Set this account with a strong password.
3. Test the account by logging off with Admin and logging in with your new account
4. Use the new account to delete the original Admin account.

Note: Don’t loose the admin login details or you will be re-installing the software again!!

Changing the default FreePBX account password

Elastix depends on FreePBX quite a lot, and even provides an interface to the FreePBX console itslef.  This has a default username and password of admin and admin.  We need to start the FreePBX console from within Elastix and change the account details.  Following the instructions here, and enter the default user name of admin and password of admin.

Now that you have entered the FreePBX console, you can chage the admin account default password.  Selected the Admin tab from the top and the Setup tab from the top of the left panel.  Finally choose Administrators to bring up the Administrators controls:

Select the admin user from the list on the right:

And the account details will be displayed:

You can now enter a suitably strong new administrator password (as detailed above) and then you can click the  Submit Changes button at the bottom.  You will then need to click the Apply Configuration Changes bar at the top to commit the change:

You will be asked to confirm the changes:

Click the Continue with reload to apply.  And the changes will take effect.  You can logout of the FreePBX console via the logout option in the top right of the console:

As an improved security measure, you could create a new administrator account with the same details, but a new name and a suitably strong password and then delete the original.

Setting strong secrets with Extensions

Extensions are a massive risk to your system.  Not because their accounts allow access to your system directly, but because they can be used to make calls.  Having a weak ‘secret’ for an extension leaves your system wide open to fraudulent calls.  Once an ‘extension’ has made a connection (either a physical VOIP phone or a soft phone), then they can start to make calls with that context.  This is especially important if you open your firewall up to allow the connection of SIP and IAX based phones and trunks.

Any extension, once registered can make calls.  What calls that can be made are dependant on how you have set-up your system.  The best approach is to make sure every extension is as secure as possible and this article will help achieve this goal.

Each extension that connects via the network, either a physical VOIP phone or a soft phone running on a PC, needs a shared ‘secret’ to connect to the Elastix.  This ‘secret’ is entered whenever an extension is created and can be updated at any time within the settings of an extension.

Within the FreePBX part of Elastix, it is possible to configure the ‘Weak Passwords’ module to help identify poor passwords, but as it only performs very basic checks, it is not very helpful.  And you need to enter the FreePBX console to work with it.  So I will ignore this facility for the time being as many users don’t always want to leave Elastix.

Keeping the passwords strong on creation is probably the best way, rather than finding out afterwards.  So create them strong and the first place.

I would suggest, where possible, to use a length of at least 8 characters.  And use mixed upper case, lower case and digits.  All of which are randomly created.  Avoid using actual words, these can be easy to break.  Also avoid taking a standard word and making it stronger.  This will only delay the inevitable.

E.g.

mypassword

being ‘strengthen’:

MyP4$$w0rd

These are easily broken as well.

As the passwords are stored in a text file, then you need to avoid most special characters.  You also need to be mindful of any limitations that the device may have.  Often VOIP phones can only use digits as a secret because they have no method of entering letters or changing case.

If there are limitations, then increase the strength to compensate, but don’t be silly.  Trying to read out a 100 digit password over the phone to a user is not going to win any ‘brownie points’ for yourself.  12 digits/letters kmaximum is probably more than enough.

I have a made a basic password generator available here to help.  This does not pass any information back to me or anywhere else.  It should be strong enough for most PBX extensions.  Set up the type of password (without additional characters), set the length between 8 and 12 characters.  And click ‘Generate Password’.  Copy the result in the extension’s secret in the Elastix console and there you are.

If a user forgets a password, it is probably a good idea to generate a fresh password.  This helps protect your system from ‘lost’ passwords written of bits of paper or in the back of a journal, that get left in a taxi or on a train.

Securing SIP Accounts

SIP Accounts are a major hacking point of Asterisk based systems and Elastix is no exception, especially if you have SIP accounts that are open to the outside world of the Internet.  There are many hacking tools released over the last couple of years that make this an easy task for the Neanderthals out there.

Here are a few useful pointers taken from forums at Elastix and VOIP Tech:

Limit IP Source Addresses

If possible, don’t allow SIP connections from all IP addresses (the default).  Add the “permit=” and “deny=” lines to the “sip_general_custom.conf” file via the Elastix->PBX->Tools->FileEditor.

This is a problem if you have roaming laptop users that will keep changing ISPs and thus source IP address.  In this case you should ensure that other SIP security measures are strong enough.

Preventing SIP Extension Information Leakage

By default, Asterisk can leak back information to help hacking tools target your system and make better use of this information in reducing hacking times.  Since about version 1.2 of Asterisk it is possible to block this information leak.

To prevent this leak in Elastix, add “alwaysauthreject=yes” to the “sip_general_custom.conf” file via the Elastix->PBX->Tools->FileEditor.

Use Strong Passwords for Secrets

Don’t depend on words that are easy for you to remember, they are also easy for hackers to break.  See the article above about strong secrets: Setting strong secrets with Extensions.

Keep the AMI Manager ports blocked to the local sub-net

By default, Elastix has this already configured with “deny=0.0.0.0/0.0.0.0″ and “permit=127.0.0.1/255.255.255.0″ already applied to “manager.conf”, just remember not over-ride this setting in this file, or in “manager_additional.conf” or “manager_custom.conf”.

The password for AMI is pretty weak, I currently do not know how to harden this from the default.

Anonymous inbound SIP calls

Elastix has the ability to accept anonymous inbound SIP calls via trunks.  This setting ‘Allow anonymous inbound SIP calls’ must be set to ‘NO’ at all times.  You may use it to breifly test inbound SIP calls via trunks, just to get the inital processing correct, but remember to restore this setting after testing.

This setting is found here, near the bottom of the page:

PBX->PBX Configuration->Allow anonymous inbound SIP calls

In order to overcome the security imposed by this setting being ‘NO’, see this article: HowTo: Elastix Incoming SIP Trunk Calls.

With the ‘Allow Anonymous’ set to yes, the system will allow ANY call in via this SIP path.  At best it will be annoying.  At worst with DISA, the caller can make free calls via your system!

Example Hack

Here is a YouTube video showing you a training video for an SIP hacking tool ‘SIPAutoHack’.  This shows you just how easy it is to do with the ‘free’ tools being offered.

Prevention Tools

If you have the necessary skills, then you could consider using one or more of the following tools to help defend your system:

• fail2ban, a log file scanner that perform blocking actions.  An article on using this with Asterisk can be found here.
• DenyHosts is a very popular port blocker for many *nix distributions and may provide Elastix with additional protection.

I may consider writing articles to help the more novice Elastix administrator implement these utilities if there is some requests.

---

MORE TO BE ADDED SHORTLY

---

Elastix Default Accounts

Initial entry in the linux command line in VMWARE

Username: root
Password: palosanto

Initial access to the Web interface

Enter in the Web interface:

Username: admin
Password: palosanto

Initial access to third party applications

To use Sugar CRM:

Username: admin
Password: password

To use A2bill:

Username: admin
Password: mypassword

or

Username: root
Password: myroot

Operator Flash Panel (from 0.6 version):

Password: eLaStIx.2oo7

For accessing Freepbx (without being contracted) use:

Username: admin
Password: admin

For accessing vtigerCRM use:

Username: admin
Password: admin

For accessing MySQl directly

Username: root
Password: eLaStIx.2oo7

---

Important Note: This article is still under construction and I have not covered every security issue with this product installation and it is entirely your responsibility to make your Elastix installation secure.  I can not be held responsible for any area I may have omitted or security hole found in the system.

Return to: Get your first Elastix system running.

Related posts:

1. HowTo: First connection to Elastix Once you have installed Elastix from CD (or whatever), then...
2. HowTo: Entering the FreePBX Console from Elastix Console Last Updated: 23 September 2009 This article describes how to...
3. HowTo: Elastix DAHDI Trunk Routing with DID If you have multiple FXO (PSTN) lines into your PBX,...
4. HowTo: Connecting a Grandstream to Elastix Last Updated: 03 October 2009 Originally Created: 03 October 2009...
5. HowTo: Elastix Incoming SIP Trunk Calls For the last few weeks I have been bashing away...