Wednesday, January 12, 2011

Important Security tips for linux

1) Use strong Passwords: We can't stress this one enough: Use strong
passwords! One of the first actions many people do when after they install
their PBX, is often to create a phone extension with an easy password. Avoid
using short or weak extension passwords. Please remember to use passwords of
at least 8 characters, including a mix of upper and lower case along with
digits. Remember to change them periodically every 2-3 months at most.

2) Public Internet: Avoid leaving your PBX systems, ATA Adapters and IP
Phones open to the internet. Do not use DMZ mode on your router and do not
forward ports to your equipment, unless you absolutely know what you are
doing. This is only needed on specific cases, and only leave it open to the
internet if you have experience on how to properly manage security on
equipment that is open to the internet.

3) Asterisk Tweak: If you are using an Asterisk based PBX, add the
following line to the sip.conf file under the [general] section and issue a
reload
alwaysauthreject = yes

What this parameter does, is that it will always return an authentication
error instead of a .404 not found:., even when the extension doesn't exist.
This steps-up the difficulty for brute force scanners when they are
attacking your PBX.

4) Trixbox, PBX In a Flash and other web interface based PBX: Change
the default password. Different flavors of PBX installs come with default
administration passwords. Make sure to change the default passwords
immediately after your installation and also make sure the web interface is
not reachable from the internet.

5) PBX Dial Plan: Do you make international calls? If no, do not allow
international calls to be placed from your PBX. In Asterisk, remove ._011..
Or .00_. . Never use ._... If you are only calling a few countries on a
regular basis, enable these countries only. For example: The only country
you're calling is UK? Only configure _01144. In your dialplan.

6) Use additional caution while travelling: Do you plan on using a soft
phone at a random internet cafe? Make sure you remove your login details
after using it, and uninstall the software if possible.

7) Asterisk and Fail2ban: As an additional step you can install an
additional security tool such as fail2ban, which is a free brute force
detection system, it scans the log files of your PBX and then takes action
based on the entries of those logs.
(http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asteris
k)

No comments: