UFW Rules for Vicidial Ubuntu

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

UFW Rules for Vicidial Ubuntu

Postby jlamconsulting » Wed Apr 27, 2011 8:40 am

Hello Everyone,
I am Looking to put together a step by step Tutorial for Either UFW or IPTables specific to a Vicidial Ubuntu installation. I would like to get this out there for Newbies like me that are learning and I havent found anything specific in the Forum/Wiki/Google. If anyone has contributions they would like to make it would be greatly appreciated!
Thanks
John
Install |Vicibox Redux |VERSION: 2.4-362a BUILD: 120316-1203 |Asterisk Version 1.4..21.2 |
jlamconsulting
 
Posts: 59
Joined: Thu Jan 06, 2011 11:15 am

Postby boybawang » Wed Apr 27, 2011 9:16 am

Here are some security measures I implement on the servers i maintain:


Fail2ban

Strong passwords on both user and softphone

Implement sip.conf security per extension by filling in the host=

On stand alone systems i set Bind_address = 127.0.0.1 on my.cnf

Limiting interface access, if your client just wants access on the webserver from their site then you disable it from the outside. Listen Address to local interface on apache configuration

Putting in an index.html file on /var/www/ and /var/www/agc/ and /var/www/vicidial/

Prevent root access from any point unless needed

Create a unique admin user with a different name other than admin

Change the username and password of cron on the mysql db
Vicidial Installation + Configuration + Support + Custom Development
Download my ebook on installing vicidial for free http://download.vicidial.com/ubuntu/VIC ... 100331.pdf
skype: deodax.cordova@gmail.com
m: +639172063730
boybawang
 
Posts: 989
Joined: Sat Nov 14, 2009 1:18 pm
Location: Dumaguete City, Negros Oriental, Philippines

Postby jlamconsulting » Wed Apr 27, 2011 9:35 am

Thank you for the response!
What Firewall do you use with your install?
Looking for steps / Commands to implement the Firewall and I will add the steps to implement the safeguards you posted to the Tutorial I am creating
Thanks again
Install |Vicibox Redux |VERSION: 2.4-362a BUILD: 120316-1203 |Asterisk Version 1.4..21.2 |
jlamconsulting
 
Posts: 59
Joined: Thu Jan 06, 2011 11:15 am

Postby williamconley » Wed Apr 27, 2011 10:00 am

Fail2Ban is a modifier for iptables (the two together constitute a firewall)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby jlamconsulting » Wed Apr 27, 2011 11:02 am

Here is what I have put together so far:
Adding as I find answers, Any fill in the blanks experts out there :D

Security Steps for Hardening your Vicidial Installation on Ubuntu

Change SSH Port to something else

$ Nano /etc/ssh/sshd_config
Change the Port Number from 22 to something else that is not being used (Example 578)

$ ctrl + X and then Y to save

$ /etc/init.d/ssh reload

Login to putty using your new port

To make sure your new port is working before you delete port 22:

(Note: If you are remoting in / Add a new port first / /etc/init.d/ssh reload /Login to putty using the new port /
Delete port 22 / Save following instructions above / /etc/init.d/ssh reload


Disable Direct Root Access

Note: Make sure you have a User setup that has root access before performing this step,
To setup a new user follow these instructions:

To setup a new user, login as the root user and issue the following command;

$ adduser --ingroup groupname username

The adduser command will create a new user and the ingroup directive tells the command to create a user in a particular group. You will need to replace the groupname with the group you want the user to be in (by default use “users”), and username with the name for your new user.

Once you have created the new user you will need to grant it root privileges, to do that you will need to open the sudoers file by issuing the visudo command. Add the new user you created by adding this line to the sudo file.

Tip: Sudo in Linux also means “super user do”.

$ username ALL=(ALL) ALL

Replace the username with the user you created earlier. Once you have done that open a new terminal window and login with the new user, once you have logged in issue the command “sudo su”, this will allow you to sudo into the system as a super user. You will be prompted for a password, enter the same password you use for the user you logged in with, once everything goes fine you will become a root user.

Important Note: If you are not able to sudo su into the system, please follow the earlier steps to modify the user to become a super user. Unless you are sure you are able to sudo su into the system, DO NOT follow the steps below, you could practically screw up your system.

Once you are sure that you can access the system as root, you can now safely disable direct root login access to your system by following the steps below.

While you are logged in as root, open the file:

$ nano /etc/ssh/sshd_config

In the open file, search for the text PermitRootLogin, you should see “yes” as the value, change it to “no” and save the file.

Once you have done that issue the command;

$ /etc/init.d/ssh reload

This should reload the SSH configuration for your system, now before you close the root session, open a new terminal to confirm that root access has been disabled.


Install Fail2Ban

References:
http://www.fail2ban.org/wiki/index.php/Main_Page
http://setdosa.blogspot.com/2008/11/fai ... hardy.html
http://ubuntuforums.org/showthread.php?t=486890

$ sudo apt-get install fail2ban

Copy the file /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

$ cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

For Editing use this command (For tips refer to http://setdosa.blogspot.com/2008/11/fai ... hardy.html

$ nano /etc/fail2ban/jail.local

After Editing Restart

$ sudo /etc/init.d/fail2ban restart

Open File

$ nano /etc/fail2ban/filter.d/proftpd.conf file

Replace the Following:

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$

With:

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+$
\(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
\(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
\(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$

Exit and save

Change the symbolic link for sh from dash to bash

$ sudo ln -sf /bin/bash /bin/sh

In Vicidial Admin

Set Strong Passwords for Both User and Phone Logins in Vicidial







For UFW













For IP Tables
Install |Vicibox Redux |VERSION: 2.4-362a BUILD: 120316-1203 |Asterisk Version 1.4..21.2 |
jlamconsulting
 
Posts: 59
Joined: Thu Jan 06, 2011 11:15 am

Postby williamconley » Wed Apr 27, 2011 11:14 am

Be careful with Fail2Ban ... it has a tendency to "lock out" a user in a call center (bad phone registration? bad login attempts by a manager who forgot his pwd?) thus locking out the ENTIRE call center because of the shared IP.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby jlamconsulting » Wed Apr 27, 2011 11:27 am

Good Point I am adding a section I found on unblocking ips and setting trusted ips
Install |Vicibox Redux |VERSION: 2.4-362a BUILD: 120316-1203 |Asterisk Version 1.4..21.2 |
jlamconsulting
 
Posts: 59
Joined: Thu Jan 06, 2011 11:15 am


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 45 guests