Page 1 of 1

How to make a goautodial server saver based on centos

PostPosted: Thu Sep 29, 2011 3:03 am
by trandos
First of all I make this post without any guaranties for block ALL hackers but some of them.
In this point I want to say thanks to WILLIAM for all of his helps during installations and issues of vicidial and goautodial !

After a new installation of goautodial I have made this changes:
Change your root password:
Login as root from command line and type: passwd then 2 times the same password and you have done.

ADMIN-phones:
First deactivate all phones and activate only the used one and change the passwords to strong passwords
Templates: I use in templates the deny permit option to allow only from my office ip to connect the server:
deny=0.0.0.0/0.0.0.0 (this blocks all ips)
permit=XX.XX.XX.XXX/255.255.255.0 (this are the ips allowed put here your ips istead of X)
permit=XXX.XXX.XXX.XXX/255.255.255.0 (for a second ip use a new line with permit)

the deny permit I always used in the carrier settings also put in your carrier Account Entrythe same:
deny=0.0.0.0/0.0.0.0 (this blocks all ips)
permit=XX.XX.XX.XXX/255.255.255.0 (this are the ips allowed put here your ips istead of X)
permit=XXX.XXX.XXX.XXX/255.255.255.0 (for a second ip use a new line with permit)

so after that is done I logged in to the etc/asterisk/sip.conf and made this changes:

allowguest=no ( this is a security problem in vicidial and have been to no)
you have to put also allow=g729 if u will use it.
alwaysauthreject = yes (change this to yes)


after that I will give you now a way to install fail2ban on your server:

1. Get the files
cd to /tmp for a nice place for them to land, then
wget http://sourceforge.net/projects/fail2ba ... 2/download
2. Extract them
tar -xf fail2ban-0.8.4.tar.bz2
3. Head to the new directory and install
cd fail2ban-0.8.4
then (you need to have python installed)…
python setup.py install
All installed ok?
4. Get it starting up automatically
cp files/redhat-initd /etc/init.d/fail2ban
chkconfig --add fail2ban
chkconfig fail2ban on
5. Config
You’ll need to turn some stuff on, and fiddle with settings to your liking in:
/etc/fail2ban/jail.conf
If you’re enabling SSH-iptables, then the path for SSH monitoring needs to be changed to /var/log/secure
You can determine the services being monitored, number of retries a user is allowed, as well as the ban time in this settings file.
Once you’re configured, start the service with:
service fail2ban start
And you’re done.



Configure Fail2Ban for Asterisk
First we need to create a configuration file for Fail2Ban so it can understand the logfiles of Asterisk and get IP addresses from it to ban. Create the configuration as follows.
1 vi /etc/fail2ban/filter.d/asterisk.conf
Fill this configuration with the followin text.



# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Next edit /etc/fail2ban/jail.conf
1 vi /etc/fail2ban/jail.conf
Add the following section so that it uses the new filter. This example does a 3-day ban (set to -1 for always ban) on the IP that performed the attack (bantime). It is recommend to set the bantime in the [DEFAULT] section so if affects all attacks. It is also recommend to turn on an iptables ban for ssh, httpd/apache, and ftp if they are running on the system. Be sure to edit the sendmail-whois action to send notifications to an appropriate address.

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200

Note that you logpath can be different depending an your solution. You can check it in the file /etc/asterisk/logger.conf.
Exclude yourself from being banned; by opening the jail.conf.

1 vi /etc/fail2ban/jail.conf

Add your IP addresses and every other IP adres you want to be ignored into the ignore sections, for example.

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 192.168.1.1/24 188.188.2.2 199.199.0.3

Asterisk logging
We must change how Asterisk does its time stamp for logging. The default format does not work with Fail2Ban because the pattern Fail2Ban uses that would match this format has a beginning of line character (^), and Asterisk puts its date/time inside of []. The other formats that Fail2Ban supports, however, do not have this character and can be used with Asterisk.

To change this format, open /etc/asterisk/logger.conf
1 vi /etc/asterisk/logger.conf
Add the following line under [general] section (You may have to create this before the [logfiles] section). This causes the date and time to be formatted as Year-Month-Day Hour:Minute:Second, [2008-10-01 13:40:04] for example.

[general]
dateformat=%F %T

Then reload the logger module for Asterisk. At the command line of your Asterisk server, run the following command as root:

asterisk -rx "logger reload"


Finalize your setup
If iptables is not running yet start it. (You need to be root)
1 /etc/init.d/iptables start
Then start Fail2Ban as follows (only for the user root)
1 /etc/init.d/fail2ban start


Check your installation
If iptables and fail2ban started properly, please execute the next command.
1 iptables -L -v
You should see something like the following for the INPUT chain (you will see more if you have other Fail2Ban filters enabled):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2104K 414M fail2ban-ASTERISK all — any any anywhere anywhere
If you do not see something similar to that, then you have some troubleshooting to do; check out /var/log/fail2ban.log.


Now you are a little bit safer on the net with your server.

It was a very big help to me if someone can help to configure fail2ban for the other services run on the standart configuration of Goautodial 2.1final

Or to post a howto change the cron user password In all folders needed to be more safer. I think the cron is a big security problem anyway.



Have fun

PostPosted: Thu Sep 29, 2011 11:40 am
by sofcall
Hi.

Very helpfull thank you very much.

PostPosted: Thu Sep 29, 2011 12:29 pm
by trandos
you are welcome

PostPosted: Thu Sep 29, 2011 4:43 pm
by trandos
sorry but i fogot to say that you have to use in phones the (sip)template for all active phones to use the deny allow option.

and you can insert a line like in etc/ssh/sshd_conf

AllowUsers root@XXX.XX.XXX.XX (replace the x with you ip adress)


this says that root can only connect to ssh via the ip adress you insert that meens if you have the right password but not the right ip adress you cannot login as root.

Re: How to make a goautodial server saver based on centos

PostPosted: Mon Apr 17, 2017 5:54 am
by SPAMSAM
I vote sticky