Enabling iptables on openvz containers

Written by admin on December 24, 2014. Posted in Server Security

This post is directed to those who run their data centres or small virtualised systems. Many times customers want to install firewall on their vps servers and after installation of your openvz system you might find that software firewalls such as csf may not run because the container's iptables are not activated. To correct this you need to do the following:

in ssh enter the following command

nano /etc/vz/vz.conf

Then locate the line which begins with IPTABLES=

uncomment this line if it is commented and edit it. Make sure the following is just one line. The line must now look like

#IPTABLES=”ipt_REJECT ipt_recent ipt_owner ipt_REDIRECT ipt_tos ipt_TOS ipt_LOG ip_conntrackipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp”

Thats it then just restart openvz by this command

# /etc/init.d/vz restart

Then you can now install CSF on your containers.

How to limit concurrent calls for asterisk extensions

Written by admin on November 22, 2014. Posted in Asterisk, Server Security

Sometime you need to limit the number of simultaneous calls that an extension can be allowed to make. freepbx has a trunk simultaneous calls limitation but does not have the SIP account limitation facility. the workaround  is to do the following.

Login to your server via ssh and do the following

# nano sip_custom_post.conf

suppose the extension you want to limit is 3500  and you want to limit the call limit to 3 simultaneous calls. hen you must copy and paste the following.

[3500](+)
call-limit=3

Save the file by clicking  CTRL + X   and then confirm with a Y

Restart asterisk

# amportal restart

How to secure your server using fail2ban

Written by admin on November 22, 2014. Posted in Server Security

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action. The following shows how to install it on asterisk to protect your voip server. Please copy and paste the blue text directly into ssh.

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
sed -i 's/enabled = 0/enabled = 1/' /etc/yum.repos.d/rpmforge.repo
yum install -y fail2ban jwhois
Now disable the rpmforge repo do that it doesn’t interfere with any of the CentOS/Asterisk packages -

sed -i 's/enabled = 1/enabled = 0/' /etc/yum.repos.d/rpmforge.repo
Next we are going to create the fail2ban configuration file for Asterisk. This tells fail2ban what text to monitor the logs for -

cat >> /etc/fail2ban/filter.d/asterisk.conf <<-EOF
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Peer is not supposed to register
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
EOF
Next we are going to add some lines to the jail.conf file that tells fail2ban what log files to monitor and what action to take when the required text is detected. This includes sending an alert e-mail so you may want to change ‘root’ to your e-mail address. It also includes the length of time the IP address is blocked for in seconds. Here we have it set to 3 days, you may want to modify this -

cat >> /etc/fail2ban/jail.conf <<-EOF
[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=jcals@katxe.com, sender=fail2ban@katxe.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 259200
EOF
Fail2ban needs the date in the Asterisk log files written in a specific format. To do this we can add a line to the ‘General’ section of the Asterisk logger configuration file. If you already have a ‘General’ section in there you will just want to add the line manually rather than running the command below -

cat >> /etc/asterisk/logger.conf <<-EOF
[general]
dateformat=%F %T
EOF
asterisk -rx "logger reload"
Finally we want to fire up fail2ban and set it to start at boot time -

service fail2ban start
chkconfig fail2ban on
One final thing you may want to do is ‘whitelist’ your own IP address/s. You can do this by adding them to the ignoreip line in the jail.conf file. Here’s a couple of lines to do it automatically, just change the IP address here for your own IP address -

sed -i 's/ignoreip = /ignoreip = 123.123.123.123 /' /etc/fail2ban/jail.conf
service fail2ban restart

How to reset passwords for Freepbx, A2billing, Elastix and PIAF

Written by admin on November 16, 2014. Posted in A2billing, Asterisk, Elastix, Freepbx, PIAF, Server Security

Many times i get asked how to reset passwords in different systems. This article will explain how to do this in some VOIP systems.

 

1. FreePBX® 

To reset the admin password in FreePBX® you do the following:

Login to your ssh client and type the following

amportal admin auth_none

You will get the following response

Please wait...

trying to run as user asterisk:

[AUTHTYPE] changed from previous value: [database] to new value: [none]

Now login to yourFreePBX®  using username admin and no password and edit/add/create  admin details

After that go into your ssh and enter

amportal admin auth_database

You will get this response

Please wait...

trying to run as user asterisk:

[AUTHTYPE] changed from previous value: [none] to new value: [database]

You are done. You can now logout of FreePBX®  and login with new credentials

Please note that FreePBX® is a Registered Trademark of Schmooze Com, Inc and our mention of it in this or any other tutorial does not mean we are in any way associated or affiliated with them.

 

2. A2billing

To reset A2billing password you need to login to your ssh

1. Determine the database name, user and password for your A2Billing database

# head -n 15 /etc/a2billing.conf

The settings are normally at the top of the file so we just need the first 15 lines. They are usually

user = a2billinguser
password = a2billing
dbname = mya2billing

2. Log in to MySQL using the details we just got for the A2Billing database -

# mysql -u a2billing-user -p mya2billing
Enter password: a2billing

3. Change the password for root to ‘changepassword’ by using the following string

#mysql> update cc_ui_authen set pwd_encoded = '410fc6268dd3332226de95e42d9efa4046c5463769d7493b85e65cfa5c26362dc2455cc23c0bc5831deb008def4ab11a9eaa9b76ba3f377da134f39ec60dd758' where login='root';

4. You should now be able to login to A2Billing using the username/password of root/changepassword.

The A2billing password reset part is courtesy of  Matt Newcombe  http://sysadminman.net/blog/2009/reset-a2billing-1-4-root-password-950

 

3. Elastix

For Elastix just login to your ssh and enter the following line

# sqlite3 /var/www/db/acl.db "UPDATE acl_user SET md5_password = '`echo -n password|md5sum|cut -d ' ' -f 1`' WHERE name = 'admin'"

Replace the red coloured password with your desired password.

 

4. PBX in a flash (PIAF)

In PIAF login to ssh and enter the following

# passwd-master

This will change all your access passwords to the new one that you will be prompted to provide.

Thats it for now