vicidial.org

[stevieo3]

Some Ratbag logged into my server and ran up £179 worth of calls in 2 hours before my provider locked my account.

I have go auto dial installed >Is there a thread or tutorial that explains how to reset all passwords for Noobs.I think this should be a sticky and requirement to post.

I think this is important as these scumbags will hit every new person who instals vicidial who doesn't know how to change the passwords on there server.

I had changed my admin password and phone passwords but not the asterisk password root & vicidialnow as i was just about to find out how to do it.My carrier had only been in my server for abou 4 hours .lol

How secure is vicidial when you have all paswords changed .Is it still easily hackable.

Regards

Stephen

goautodial from .iso | Vicidial 2.2.1-237 Build 100510-2015| Asterisk 1.4.27.1-vici | Single Server | No Digium/Sangoma Hardware | No Extra Software

[williamconley]

1) Vicibox requires the creation of a root password while building the machine (one of those steps skipped during a fully automated installation!)

2) entering "passwd" while logged in as root resolves this issue.

3) iptables can be used to "lock out" everyone who should not be on the box (as in: if you are not in our list of good ip addresses, you cannot even verify the existence of the box, much less log in). We have a functional version of this we have not yet had time to publish. It still allows the server to "reach out" and allow anyone you designate (like registering to a SIP server, for instance), and it does not slow down existing connections at all. it just checks for "good guys" at the initiation of a new connection.

4) passwords to change:

ssh root
mysql root
all phones login
all phones registration
user logins (especially admin / 6666 depending on your distro)
mysql cron

[stevieo3]

Thanks willaim i got the root password changed .I have been trying to get the mysql root and cron changed but no luck .Anyone any idea how to do it on go autodial instal.

I have a call centre at the moment running off a commercial dialer and avaya system.Wil be looking to put vicidial into production in Januray so will hire you william to sort out the Ip tables if you are available to do that.Would i be able to add and delete ip's from the table manually.

Regards

Stephen

[williamconley]

Yep. I'm planning on publishing it here shortly, but it IS up and running with a cute little utility page for adding/removing individual ip addresses. RANGES must be modified in a configuration file, but individual ip addresses are stored in a database and thereby reloaded at startup into the 'GoodGuys' allowed list.

[stevieo3]

Thought i would bump this rather than start a new thread .

Can anyone pleas help with the info to change the password for mysql & mysql cron.

[williamconley]

Thought i would bump this rather than start a new thread .

Can anyone pleas help with the info to change the password for mysql & mysql cron.

mysql is a software package and has no "password" per se (although it does have USERS in it which have passwords, one of which is always root, so you may inadvertently be asking how to change the password for the mysql root user and the mysql cron user...?)

there used to be a script named ADMIN_update_cron_pass.pl, but I don't see it in the latest release (this would update the cron password in all the necessary places).

to change the password of a user in mysql, you use a mysql command like this:

Code: Select all

mysql asterisk --execute="UPDATE mysql.user SET Password=PASSWORD('XXXX') WHERE User='root';"
mysql asterisk --execute="FLUSH PRIVILEGES;"


I recommend you change the 'XXXX' to something else before you actually execute it.

AFTER you have created a passwod for the "root" user, you will need to modify the command to include that new password by adding "-p" to the end of each line (optionally, you can even include your new password so you don't have to type it each time and can just copy/paste both lines at once).

Code: Select all

mysql asterisk --execute="UPDATE mysql.user SET Password=PASSWORD('XXXX') WHERE User='someotheruser';" -pXXXX
mysql asterisk --execute="FLUSH PRIVILEGES;" -pXXXX


be careful changing the cron password, it is used in a lot of places!

[vccsdotca]

It would be a good idea actually to include asterisks Permit/Deny field in Admin->Phones->Ext. This could be included with custom conf at the bottom of the Phone options im sure.

This is really all too common. Just today I noticed a hack attempt and had to use IP Tables to block, the list grows. Even my test environments that are up for only a couple of days.

This thread inspired me to create a blog post on my website. An aggravating 2 hours lol.
http://www.vccs.ca/component/content/ar ... urity-tips

[boybawang]

Security tips:

* Edit /etc/asterisk/manager.conf change 0.0.0.0 to 127.0.0.1

* If you are using a stand alone server might as well bind your mysql server to 127.0.0.1, to do this you need to edit /etc/my.cnf and set bind_address=127.0.0.1

* Change the root password to at least 10 alpha numeric characters

* Disable unecessary extensions, the default install on those auto installers have extensions with weak passwords and extensions from cc100 to cc300 something, you will need to delete or deactivate the others

* Enable host based access on your httpd.conf or if you are using the apache server on your local network only it would be wise to do a bind address to the local network interface instead of openning up to the word, this way you will be able to elude apache flooding

* Change ssh port this will elude ssh scanners

* Disable direct root login from ssh

* If in any case you are just using ssh on your local network i also advise you bind it to the local network.

* Disable unnecessary services if you are under centos you can do a chkconfig --level 345 servicename off

* Install FAIL2BAN, a useful script which bans ip addresses who commit alot of authentication errors.

* Implement STRONG PASSWORDS on each extension that you use

* Implement asterisk host based authentication on each extension

* Implement asterisk sip host based authentication on sip.conf where you will only allow certain sip traffic from several ip addresses, this is very simple to do specially if you only have 1 or 2 sip providers


The main reason why a box gets hacked is that because of a lousy IT GUY who just is contented of point and click or automatic installers without even tweaking them.

[mflorell]

If you use Conf File Templates it's pretty easy to add allow/deny and other options across the board to all of your phones.

[vccsdotca]

Good tips boyb. I'm going to add the Fail2Ban and bind addresses to my article.

Another thing I thought of is making sure allowtransfer=no in /etc/asterisk/sip.conf if applicable.

[williamconley]

exercise caution with fail2ban: if you have a satellite call center that is behind a firewall, one of those agents with a phone that has the wrong user or password can cause that IP address to fail ... and now your entire center is locked out.

[vccsdotca]

Good advice. Man I wish I had a Satellite...

[williamconley]

satellite call center as in one that is NOT in the same location as the dialer (or perhaps your main office).

[boybawang]

in fail2ban there is an option for ignore hosts so you can easily put in the ipaddresses of your servers so that fail2ban will just skip them when checking for authentication failures.

[williamconley]

on the other hand, if you put in a list of "good hosts", why is ANYONE ELSE even allowed to touch the box?

don't get me wrong, I love fail2ban, but I like the plain and simple "allow the good guys, noone else should even know this server exists" approach with iptables.

unless it's a Public Server (web server with web sites ...) there's no reason for anything else.

we have a couple clients who have agents with dynamic home addresses, for those we install a web page that allows a simplified method to add single ip addresses.