Help with security

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Help with security

Postby iboam » Sat Sep 24, 2016 1:45 am

Hi i recently installed a cluster server 1 DB/Web and 2 Telephony Servers, i need some help with the security, all the information i have found about fail2ban is from 3 - 5 years old, there is any fail2ban guide updated ??? i tried DGG but when the installation ask for root password (i dont know) always says that database could not be created .....

i have the DB/Web without firewall because when internal firewall is active the telephony server does not connect. The telephony server has firewall. what is the best way to link servers ???

[Sep 24 02:33:09] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"301" <sip:301@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5071' - Wrong password
[Sep 24 02:33:19] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"1002" <sip:1002@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5062' - Wrong password
[Sep 24 02:33:23] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"6002" <sip:6002@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5101' - Wrong password
[Sep 24 02:33:30] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"202" <sip:202@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5114' - Wrong password
[Sep 24 02:33:30] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"6668" <sip:6668@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5117' - Wrong password
[Sep 24 02:33:43] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"2001" <sip:2001@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5075' - Wrong password
[Sep 24 02:33:47] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"602" <sip:602@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5068' - Wrong password
[Sep 24 02:34:01] NOTICE[1697]: chan_sip.c:28480 handle_request_register: Registration from '"8002" <sip:8002@XXX.XXX.XXX.XXX>' failed for '213.202.233.167:5069' - Wrong password


Thanks in advance
ViciBox: 11 | VERSION: 2.14-897a BUILD: 230927-0857 | Clusters: 1 DB-WEB-ASTX | SSL | WebRTC | Wallboard | DNC Nightly Scrubber
iboam
 
Posts: 258
Joined: Mon Feb 08, 2016 2:35 pm

Re: Help with security

Postby covarrubiasgg » Sat Sep 24, 2016 3:39 pm

If you have remote agents I would rather keep digging with DGG than going down for a fail2ban setup.

But remember, this is only needed if you are using remote agents, if you are not using home agents, then you only need to properly setup your firewall.

Assign you LAN interface as Internal and your WAN as external, then add custom rules to allow ONLY your carriers, that is a whitelist firewall.

If you are having issues in your LAN when turning on your firewall is because it is not properly set.
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Help with security

Postby iboam » Sat Sep 24, 2016 3:54 pm

Thanks for your rapid response. Some times all Agents are not at one location, so it's better with fail2ban or DGG ??

I just made the changes
LAN interface are Internal and WAN are external


Now all servers has firewall on, but cant open asterisk @ dialer servers
asterisk -r
Unable to connect to remote asterisk (does /run/asterisk/asterisk.ctl exist?)
Last edited by iboam on Sat Sep 24, 2016 4:26 pm, edited 1 time in total.
ViciBox: 11 | VERSION: 2.14-897a BUILD: 230927-0857 | Clusters: 1 DB-WEB-ASTX | SSL | WebRTC | Wallboard | DNC Nightly Scrubber
iboam
 
Posts: 258
Joined: Mon Feb 08, 2016 2:35 pm

Re: Help with security

Postby covarrubiasgg » Sat Sep 24, 2016 4:26 pm

I prefer DGG
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Help with security

Postby iboam » Sat Sep 24, 2016 4:27 pm

cant open asterisk @ dialer servers
asterisk -r
Unable to connect to remote asterisk (does /run/asterisk/asterisk.ctl exist?)
ViciBox: 11 | VERSION: 2.14-897a BUILD: 230927-0857 | Clusters: 1 DB-WEB-ASTX | SSL | WebRTC | Wallboard | DNC Nightly Scrubber
iboam
 
Posts: 258
Joined: Mon Feb 08, 2016 2:35 pm

Re: Help with security

Postby iboam » Sat Sep 24, 2016 4:33 pm

covarrubiasgg wrote:I prefer DGG


it should be installed in all servers or just dialer servers ?
what is the mysql root password ??
what is the login and password for the dgg page ??
ViciBox: 11 | VERSION: 2.14-897a BUILD: 230927-0857 | Clusters: 1 DB-WEB-ASTX | SSL | WebRTC | Wallboard | DNC Nightly Scrubber
iboam
 
Posts: 258
Joined: Mon Feb 08, 2016 2:35 pm

Re: Help with security

Postby many83 » Thu Nov 10, 2016 12:19 pm

Manual for used or activated fail2ban?
many83
 
Posts: 3
Joined: Fri Aug 26, 2016 12:09 pm

Re: Help with security

Postby Noah » Fri Nov 11, 2016 12:57 pm

We use a hard code iptables rule set that keeps everyone out. Packet drops, and no one knows you are running asterisk or SIP register server.
And then implement a unlock process with php to add a rule to the iptables to allow access.
Not one security issue in 5 years.

All the best - Noah
MyCallCloud.com - Cool Vici Customizations - Hosted - Configured - Supported
Web: https://mycallcloud.com
P: 888-663-0760
E: sales@mycallcloud.com
Noah
 
Posts: 90
Joined: Tue Feb 08, 2011 7:14 pm

Re: Help with security

Postby iboam » Fri Nov 11, 2016 1:59 pm

Could you share how to use iptables and fail2ban ??
ViciBox: 11 | VERSION: 2.14-897a BUILD: 230927-0857 | Clusters: 1 DB-WEB-ASTX | SSL | WebRTC | Wallboard | DNC Nightly Scrubber
iboam
 
Posts: 258
Joined: Mon Feb 08, 2016 2:35 pm


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 145 guests