Admin Security: Difference between revisions

Taking care of your server security is really important. Every day there will be people around the globe trying to hack in your system and stole thousand of dollars worth of traffic.

You have several instruments to try to avoid being hacked and to minimize the damage from a successful hacking.

Call Limits

Call limits is the last protection against a successful hacking episode. You can limit how much you are ready to pay if the credentials for an extension or an entire tenant are compromised.

• • Extension daily call cost limit** allows you to set a maximal amount of money an extension can use in a single day (from 00:00 to 23:59). If this amount is reached, the extension cannot dialout and a message is shown beside his call history entry. If an extension is compromised, then hackers should be able to use only up to this amount of money. Take in mind it seems to be available in the wild a method to fool asterisk making it to believe a call has been hang up while instead it is still continuining to run on your provider, leaving this option completely useless.
  • Tenant daily call cost limit** is the same as above, but extended to all extensions for the provider.
  • Tenant monthly call cost limit** is the same as above, but over one month period.
  • Route cost limit** is the maximum cost/minute allowed for a route destination. If a route destination has an higher cost, dialing it will be forbidden.
  • Abuse Detection** enables a monitoring of international calls. If more than X calls to the same international number are placed in 300 seconds (5 minutes), the extension is blocked

GeoIP/Fail2Ban

This is your first line of defense. GeoIP allows you to restrict access to your server from only some countries. Fail2Ban will monitor your system log files and if repeated attempts are detected, the offending IP will be banned. SIP rate limit allows you to define the maximal number of SIP messages your server can handle from the same IP address. Always allowed IP list allows you to define a list of IP that are always allowed to connect to your server. Blocked IP list allows you to define a list of IP that cannot connect to your server.

• • Enable full server country IP filter** enables complete lock of external access to the server except from the countries listed. It includes SIP, web interface and SSH access.

• • Enable web interface country IP filter** enables lock of access to web interface except from the countries listed. User will be still allowed to access to the web login interface, but a message "You are not allowed to connect" will be shown upon access request.

• • GeoIP allowed countries** is the list of the countries allowed. It is important to periodically refresh the country list and to run at least once on all servers. This feature needs the geoip module loaded.

• • Enable VoIP Fail2Ban** enables Fail2ban for SIP access
  • Enable web interface Fail2Ban** enables Fail2ban for Web access
  • Fail2Ban max attempts** sets the maximal number of attempts before being banned
  • Fail2Ban ban time** sets how long the IP will be banned
  • Fail2Ban find time** defines the interval in which the number of attempts are searched
  • Notify ban activity** defines if to notify every time an IP is banned (it can be really annoying)
  • Notify address** sets the address where to send the notice
  • Notify sender address** sets the sender address for the above notice