vicidial.org

[B.lee2]

I know that vicidial on a VPS is a bad idea, but to make a long story short, I'm broke and on the move all the time.

What can I do to make the server as secure as possible?

The only person that would be doing the calling is myself and I'm planning to call from public wifi or the 3g network/some sort of wireless internet from the ISP videotron.

[Vince-0]

The most common attack interfaces are not Vicidial software as such. Check Asterisk basic security:

Code: Select all

http://blogs.digium.com/2009/03/28/sip-security/

Use basic security best practices like change default passwords for the web app and phones, install a firewall and fail2ban for Asterisk.

[williamconley]

I recommend Dynamic Good Guys which is now free (thanks to the clients who paid for it!).

http://www.viciwiki.com/index.php/DGG

There are instructions for a full lockdown on your server and then installation of DGG which allows for a secure link to access your server from anywhere. Newly added allowed IP addresses will be forgotten every morning at reboot so you don't even need to bother deleting those IPs when you are done using them.

[B.lee2]

so cool.

[DomeDan]

I would recommend using OpenVPN to prevent sending your data and passwords in cleartext in the air of a coffee shop.
and no one else in the coffee shop will be able to access your server as they would be able to do when using DGG.

[williamconley]

After all, so many coffee shop dwellers are intent on breaking into Vicidial servers. LOL. You could just install https on the server for admin access to avoid cleartext transmission. But at that point, unless you frequent Hacker coffee shops, your risk level is quite acceptable. Eventually SSL will be added to DGG for just such an occasion.

The goal, really, is to avoid allowing anyone anywhere access. The port scanning hordes are kept at bay. The standard install leaves the web/mysql/sip ports wide open to the world. DGG closes them and all other ports and only opens them for specific IP addresses. So instead of billions of possible intruders, you are reduced to a few. Suddenly the odds on an invasion attempt are reduced to a negligible number and the odds on a successful invasion are all but non-existent.

VPN still requires access to the server from the outside, and an open firewall port to listen for connect-attempts. That single open port allows the Hordes to know you have a server on this IP address, and worse yet the OpenVPN protocol is a known user/password scenario worthy of a brute force attack.

Combining the two would be useful. But then again, not much more secure than just adding https to DGG.

My opinion, of course.

[DomeDan]

user/pass should not be used with OpenVPN, keys and certificates is more secure.
a man in the middle could fake a certificate but then the openvpn client would complain, in a https case the red page would appear but the user is probably used to that warning page and just clicks accept

regarding the open port, doesnt DGG need port 81 to be open to be able to go to the secret link?

But then again, not much more secure than just adding https to DGG

remember that mysql and asterisk ports are opened to everyone on the network


Dont get me wrong, DGG is nice and good because its simple and blocks crawlers/spiders and other people just scanning the internet, but its not secure enough imo

[williamconley]

OpenVPN: user/pass "should not" be used in favor of key access, but that won't stop attempts at a brute force if the port is open just like any other situation: without the user/pass/cert they won't gain access, but they may (if they choose) attempt like crazy if they find the location to make the attempt. A lot of Vicidial down servers have resulted from DOS attacks that are merely brute force attacks that fail. Result is the same: Unusable server during the attack, and the owner has no control over when his server will be usable again.

DGG: user/pass is not obvious. Without the Link there is no location to send the user/pass request. No location to send your credentials: no brute force. So far I've not had a single report of a DOS or Brute Force attack (much less an invasion) after DGG is intalled. Not even an attempt.

OpenVPN: Opens a port to allow incoming connections to a known protocol. DGG: opens a port that allows connections ... but without the link, the location to send the login request is entirely unknown.

In either case, when https / ssl is in use, self-signed certificates will cause a red flag, but in all cases it would need to be worth the hackers time to invade the system in the first place. A man-in-the-middle attack is expensive to set up and requires some knowledge of the system being attacked.

The only difference between the two, really, is that VPN may use https by default, but that requires installation of VPN and https in the Vicidial server. With DGG, merely adding https to the server means it is not necessary to install VPN. There are users trying to hack VPN connections, just like any other, because there are so many out there using VPN these days. Once your computer is linked to the server, you can infect the server with a VPN connection because your computer is now on the same subnet as all the computers inside the VPN. But with DGG, all you have is a virtually impossible to hack web server. Simply because it will refuse to communicate with you at the base networking level unless you know the secret code BEFORE you know a valid user/pass.

I'm good with that.

I would only use VPN if I needed other services on the network or there was some form of SIP connection blocking in place. For instance, if I needed to access a printer or use an in-house chat system or Samba server. But if all I need is Vicidial, DGG is the way to go.

When the next client sponsors HTTPS/SSL, I'll put DGG up against your VPN and they'll come out even. Except that VPN will allow brute force where DGG won't. I've not heard of a single instance where brute force occurred without a login page to hit ... unless, of course, there was simply a grudge against the victim. But I have heard of brute force attacks against pretty much every known login protocol/page in use. There was a time that changing the port by the protocol would stop brute force, but now it is only a delay. Which is why we came up with the "can't guess it" login page name. If you can't find the login page ... you got no shot at an invasion in Vicidial. And unless you have a grudge against the victim, there's no reason to DOS the system without a page to brute force.

Not to mention, DGG is easy to install with Vicibox and will be included in GnuDial. OpenVPN is ... nice, but no one will say it's easy to install for newbies. LOL

[DomeDan]

found a major problem with openvpn, it tends to be sluggish sounds on high latency network / slow connections using sip and ulaw,
but well well, it was as far away as it could get, the other side of the world.. and maybe they used wifi, I'm not sure.
tried to set openvpn to use tcp instead but it didn't get better
but there is no problem in and around Sweden (have not tried wifi and mobile yet)

Think I'm gonna try DGG in production for those on the other side

[williamconley]

If the network has high latency, OpenVPN isn't the problem. Latency is ... VPN can't resolve latency issues, it is merely a security method. Unless you are saying the "sluggish sounds" were not present on the same pathway without the VPN?

[DomeDan]

Thats what I'm saying, without VPN there is still high latency but its no sluggish sound,

It get sluggish when the data needs to go though VPN, might be some kind of packet loss leveler in the codec or something thats not working in VPN
I don't know, but I guess I have to bite the bullit on this one

[williamconley]

probably because SIP traffic is higher priority than VPN. So you'll need to disallow all "non-sip" traffic through the VPN tunnel and change the VPN traffic to higher priority than SIP.

[isakovk]

Hello Vicidial enthusiasts,
This is my first post here.
I know i have to list my dialer credentials, but due to my issue i have used every single Vici version out there.
My office is a Vici box and internet circuit crusher.
What happens is : whenever my employees come to work and log in into the vici, it knock s down the internet circuit at the location of the server.
Creepy right!!!!!!! It happens on random occasions, there is no particular time.
It doesn't mater whether i have 4 employees calling or 20. My line dialing never goes above 180.
In the beginning i thought that i might be my isp, so i changed them, then changed it again, which led to me trying the following carriers:
Optimum online in NYC
Verizon DSL in NYC
Time Warner Cable NYC
Verizon Fios NYC
Cox California
AND 4 DIFFERENT VICI HOSTING FACILITY.
If anyone can help me with this issue, i will be very thank full.

P.S. Some one told me that it might be DOS attack.

[williamconley]

While I CAN vouch for the validity of this statement (having personally observed it), I must point out that you should create a new post and not hijack "Vicidial on VPS..." which is entirely unrelated.

I think you should fire up with a single agent for a day or two and see if the issue does not arise. if you have a "bad employee hacker" ... that could explain some of it (so don't let the other employees in on the experiment ...).

But honestly making the fiber go dark is a completely new experience. I would love to hear how that actually happens!