Asterisk@Home Handbook Wiki Chapter 3

Business PBX Solutions
Provider Solution Details
Bicom VoIP Become an ITSP Now!
  • Become a serious competitor in VoIP Immediately
  • FULL Consultancy, Installation, Training & Support
  • Sell Hosted IP PBXs, Biz Lines, Call Centre
  • Turnkey Provisioning at your data center
Details
3CX Software PBX for Windows
  • Windows Software Solution
  • Easy to Install and Manage
  • Auto Configures Phones & Trunks
  • Android, iOS, Windows & Mac clients
Details
VoIP Hardware Solutions
Provider Solution Details
VoIP Hardware Zycoo UC Solutions
  • Modular Design IP PBX for SMB
  • Remote office Centralized Management solution
  • 3rd party app integration, Enterprise Billing, Android & iOS client
Details
Yeastar Communications Solutions
  • Cost-effective IP-PBX Solution for SMB
  • FXS, FXO, GSM, BRI and PRI VoIP Gateways
  • Rich features and reliable performance
Details



Chapter 3 Securing your Asterisk@Home Server

While the network connection is unplugged or at least connected to a hub or switch with nothing else connected to it, we can now change our default passwords without worrying about being hacked. It's very easy to enter and control ANY type of server that have their default logins and passwords unchanged. Asterisk@Home is no different. It would be a good idea to write these passwords down and store them in a VERY secure location. It's not such a good idea to store them on your PC.

3.1 Giving your Asterisk@Home Server a static IP address

To change all of our default passwords, we will give our Asterisk@Home server a static IP address. You don't want to give your server a dynamic address because of the port forwarding you'll need to do from your firewall/router. You can give it a temporary one now and change it later. It's all up to you. At the CentOS command line type:

netconfig

A semi-graphical screen appears that can be explored by using the "tab" button. Enter all the requested information and tab to OK once you're done. After returning to the CentOS command prompt, type:

reboot

To reboot the server.

NOTE: Lets say you aren't confortable in just listing 1 DNS server. After all, that one DNS server in there may go down leaving A@H nothing to resolve names with. To add another DNS server (or as many as you would like) type this at the command line:

nano /etc/resolv.conf

This file lists the name servers for the A@H server. Go ahead and enter your name servers. For example:

nameserver 64.232.128.2

nameserver 209.125.236.3

Than press CTRL-X, and type in Y, hit enter. You'll be asked for the file name you want "File Name To Write: resolv.conf", so hit enter.



3.2 Changing your default CentOS Password

The latest version of the A@H installer requires you to set a password for root. If you would like to change it later, type the following command at the CentOS command prompt:

passwd

You will be asked to enter your old password and to type in your new password twice.



3.3 Changing your default FreePBX Password

To access AMP type the following into your web browser:

HTTP://PutYourAsterisk@HomeIpaddressHere

The default login and password for a newly installed FreePBX (formerly known as AMP) is:

Username: maint

Password: password

To change the default password at the CentOS command prompt type the following command.
(note, this command is not really part of CentOS but a script that comes with A@H)

passwd-maint

You will see the following appear:

-------------------------------------------

Set password for AMP web GUI and maint GUI

User: maint

-------------------------------------------

New password:

Re-type new password:

Updating password for user maint

It will ask for a new password. Then it will ask to confirm your new password.


You can also change the password for a second, lower priviledge default user called wwwadmin password by using:

passwd-amp

You will see the following appear:

-------------------------------------------

Set password for AMP web GUI and maint GUI

User: wwwadmin

-------------------------------------------

New password:

Re-type new password:

Updating password for user wwwadmin

(The difference between the maint and wwwadmin accounts is that the maint will allow you full access in AMP. wwwadmin will not allow you to see the maintenance tab.)


3.4 Changing your default FOP Password

The default password for a newly installed Flash Operator Panel is: (yes the letter "o" is a "zero")

Password: passw0rd

To change this password, log into your CentOS machine using the root login and password and enter the FOP directory by typing:

cd /var/www/html/panel

Using nano as the editor, open the configuration file op_server.cfg

nano op_server.cfg

Go to the line that says security code=passw0rd. Replace the “passw0rd� with the password of your choice.

security_code=whateverpasswordyouwant

For Trixbox 2+?

Using nano as the editor, open the configuration file /etc/amportal.conf

nano -w /etc/amportal.conf

Go to the line that says FOPPASSWORD=passw0rd. Replace the passw0rd? with the password of your choice.

FOPPASSWORD=whateverpasswordyouwant

Then do a CTRL-X to exit and then a "Y" to save changes. Now restart the FOP server.

amportal restart



3.5 Changing your default MeetMe Password

To change the default password for MeetMe type the following into the CentOS command prompt.
(note, this command is not really part of CentOS but a script that comes with A@H)

passwd-meetme

It will ask you for your new password twice.


3.6 Changing your default System Mail Password

To change the default password for System Mail type the following into the CentOS command prompt.

passwd admin

It will ask you for your new password twice.


3.7 Changing your default Sugar CRM Password

You can access SugarCRM from your splash page by typing HTTP://PutYourAsterisk@HomeIpaddressHere into your web browser.
The default login and password is as follows:

Login: admin

Password: password

To change this, click on My Account in the upper right corner, and then click the Change Password button to change your CRM password.


3.8 Securing the ALT-F9 into the Asterisk CLI console #9 feature/security risk

Asterisk has a hidden feature/security risk. On the keyboard you can just press down “Alt� & “F9� simultaneously, then you get access to Asterisk console without having to logon to the actual system and with no * restrictions. This little feature can be considered a security risk if you cannot guarantee the physical security of your asterisk@home server. Go ahead and try on your console to confirm this. At your CentOS console, let's edit the "safeasterisk" file by typing the following:

nano /usr/sbin/safe_asterisk

change

CONSOLE=yes

to

CONSOLE=no

And while you are at it, change the email address as well so you get emails when Asterisk crashes.
The line to change is #NOTIFY=ben@alkaloid.net
change it to:

NOTIFY=your@emailadress.com

Leave the hostname variable alone; it contains backticks around the command "hostname", which causes the machine's current hostname to be automatically included in the crash notification email so you can tell which machine has crashed; quite handy if you have more than one Asterisk box.

MACHINE=`hostname`

Now restart asterisk with the following command:

amportal stop

and then

amportal start

Example from /usr/sbin/safe_asterisk

CONSOLE=no	                # Whether or not you want a console (yes/no)	
NOTIFY=your@email-adr.com	# Who to notify about crashes
MACHINE=yourhostname             #Specify which machine has crashed in email


3.9 Placing a password on the Asterisk@Home Splash page

NEW NOTE: It would be a much better idea to just install Web Admin Interface Upgrade (Admin-UI) (click for very easy step by step instructions). The Admin-UI allows you to choose what links are on the start page (I usually just have the voice mail and meetme conference on the homepage) and a password protected admin page. This is a VERY nice thing to add on to your server.

The Asterisk@Home splash page is the first thing that appears in your browser when you browse to your asterisk@home's IP address. This splash page was added in Asterisk@Home to make it easier to jump to different services that are running.

The splash page contains:

*** Web-access to Voicemail
*** CRM
*** Flash Operator Panel
*** Web MeetMe Control
*** Asterisk Management Portal

It wouldn't be a bad idea to place a password on this page to stop any "curious" employees. The idea behind it this requiring Apache (the web server doing all the heavy lifting for us in CentOS) to get a login and password from a user browsing to the Asterisk@Home Splash Page. Use your own user name instead of "NewUserName". (Note: this can be a real pain because you will be constantly asked for this password when you try to navigate through these pages. Example, to access the splash page you have to enter this new password, to then click other parts of the admin and splash pages, you will find yourself retyping passwords. It can get a bit confusing).

htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName
(Apache will prompt you for a new password for the user name you've just indicated.)

New password:
(Apache will prompt you to retype your new password)

Re-type new password:
(Apache will then confirm the new user)

Adding password for user NewUserName

Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type:
nano /etc/httpd/conf/httpd.conf
Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user).

For Trixbox 2
nano -w /etc/trixbox/httpdconf/trixbox.conf

Now add the following lines:

#Password protect the Asterisk@Home Splash Page /var/www/html

<Directory /var/www/html>

AuthType Basic

AuthName "Restricted Area"

AuthUserFile /usr/local/apache/passwd/wwwpasswd

Require user NewUserName1 NewUserName2 NewUserName3 yaddayaddayadda

</Directory>

To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file.

htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.

/etc/init.d/httpd restart



3.10 Changing your default MySQL Password

The default password for root is: passw0rd

Enter AMP by using typing HTTP://PutYourAsterisk@HomeIpaddressHere (or http://PutYourAsterisk@HomeIpAddressHere/maint, if you have installed WebAdmin) into your web browser Click On AMP ---> Click on Maintenance ---> Click on phpMyAdmin ---> Click on the Database pulldown in the left pane and choose mysql. When the tables display, click on the user table (and a check mark appears by the "user" under the "table" column). Now click the Browse Icon (the first icon under the "Action" Column. If you hover your mouse over it, it will say "Browse".

The entry we care about is the second one: asterisk1.local for root user access.

If your password field is blank, you’ve got a serious security problem. What this entry means in layman’s terms is anyone on the Internet can connect to your MySQL databases as root with no password.

Click on the pencil beside the second record (asterisk1.local - root).
When the record displays, click on the function pulldown in the password row and choose PASSWORD.
Then make up a password that’s secure and enter it in the password value field. Click Go to save your update.
Now click the Browse tab again and be sure an encrypted password is shown for both root user entries in the table. We don’t care about the blank password for the blank user because you’ll note that all the database privileges are set to N for this account.


You are not yet complete…. myphpadmin will no longer work. To repair this simply go to /var/www/html/maint/phpMyAdmin and edit the file config.default.php (or config.inc.php).

Look for :

(( $cfg['Servers'][$i]['password'] = 'passw0rd'; // MySQL password (only needed ))


Change this to match what was done above, reboot and all is right in the world again…

(This was cut and copied from Ward's Site. It explains what the problem is)
MySQL Security Alert. Recently, we happened to look at how security was set up on MySQL with Asterisk@Home. This may also apply to those using plain-old Asterisk with the Asterisk Management Portal. In any case, you need to check your system NOW! Using the Asterisk Management Portal, go to AMP->Maintenance->phpMyAdmin. Then click on the Database pulldown in the left pane and choose mysql. When the tables display, click on the user table. Now click the Browse tab at the top of the right pane. The entry we care about is the second one: asterisk1.local for root user access. If your password field is blank, you've got a potential security problem. What this entry means in layman's terms is anyone on the Internet can connect to your MySQL databases as root with no password. The only roadblock is being able to spoof the default hostname of your Asterisk@Home server. And hostname spoofing has been a reported vulnerability of MySQL so it's just not worth taking a chance. Keep in mind that all of your VoIP account usernames and passwords are stored in a MySQL table when you use the Asterisk Management Portal (AMP). Not a healthy situation when it's your wallet that's at risk. To fix the problem permanently, just click on the pencil beside the second record. When the record displays, click on the function pulldown in the password row and choose Encrypt. Then make up a password that's secure and enter it in the password value field. Click Go to save your update. Now click the Browse tab again and be sure an encrypted password is shown for both root user entries in the table. We don't care about the blank password for the blank user because you'll note that all the database privileges are set to N for this account. Fixed!


3.11 Changing your ARI (Asterisk Recording Interface) Password

ARI is a new voicemail/recording utility that comes with AMP. Users can login using their extensions and voicemail passwords by using http://Asterisk-IP-address/recordings/. To change the administrator password, in CentOS execute the following command:

nano -w /var/www/html/recordings/includes/main.conf.php

And on line 53 (line 73 in TrixBox 1.0), change your admin password within the quotes.

$ari_admin_password = "ari_password";




3.11 Changing your A2Billing Password

To login to Open A2Billing, go to http://Asterisk-IP-Address/a2billing

Default login details are "root" and "myroot".

Once you login, click on "Administrator" on the left.

Then click on "Show Administrator" under that.

There will be 2 administrators shown. "root" and "admin". Be sure to change both passworeds.



3.11 Changing your host name

Asterisk@Home installs with a default Hostname of Asterisk1. You might want to change this to something more meaningful to you. To do this, you must edit the hostname in two files in CentOS

First, edit the hosts file:

nano etc/hosts

You will see the follwing:

  1. Do not remove the following line, or various programs
  2. that require network functionality will fail.
127.0.0.1 localhost
127.0.0.1 asterisk1.local


you can change this to:

  1. Do not remove the following line, or various programs
  2. that require network functionality will fail.
127.0.0.1 localhost
127.0.0.1 nameofpbx.yourdomain.com


Second, edit the network file:

nano etc/sysconfig/network

Change
HOSTNAME=asterisk1.local
to
HOSTNAME=yourname.yourdomain.com

reboot



3.12 Updating patches to CentOS

Every OS has patches that need to be applied. Wouldn't be a bad idea to make a ghost or backup your server at this point. From the CentOS command line, run the following command:

yum -y update

Additionally, you could setup automatic updating; however, be aware that this could cause issues with a production system.

chkconfig yum on

service yum start


3.13 Backup and restore of Asterisk@Home

Now when you have invested some hours and work, now it's time to secure it for the unpreventable hard disk crash. As a wise man said, "there are two types of hard drives, the one that has crashed and the one that is going to..."


Backups created by AMP is stored un the folder /var/lib/asterisk/backups/daily
This folder has to be created and rights have to be set.

mkdir /var/lib/asterisk/backups

mkdir /var/lib/asterisk/backups/daily

chown asterisk:asterisk /var/lib/asterisk/backups

chown asterisk:asterisk /var/lib/asterisk/backups/daily


3.13.1 Backup

How to create backups with AMPortal
Under the menu Setup (or Tools) there is a submenu Backup and Restore. If you don't see Backup and Restore, go to Tools, Module Admin and use the interface to enable the Backup and Restore module.

From Backup and Restore, choose Add Backup Schedule
Give the backup schedule a name and choose what parts of the system you would like it to backup.
From the pulldown menu below the choices, choose Now to make a backup as soon as you push the Submit Changes button (but remember that you may want to go back and set up a regular backup schedule), choose one of the pre-made schedules to backup at a later and repetitive time, or choose Follow schedule below to make your own schedule from the menus below. Click Submit Changes to activate your backup schedule.

How to manually create backups
Using AMP, go to Maintenance, then Backup. Click on Download Backup. You will download an "asteriskathome_backup.tar.gz" file to your usual internet download directory. This does not backup the root, maint, amp, admin, meetme passwords but does save the FOP, SugarCRM, A2Billing, and SQL DB passwords. It also does not backup custom recordings or custom music on hold files.



3.13.2 Restore

From AMP, from a scheduled backup
To restore a scheduled backup, in AMP click Maintenance, then Backup & Restore, then Restore from Backup.
A list of backup schedule names should appear. Find the backup you would like to restore, then click on the backup file.
Choose which set of data you would like to restore, then click yes when prompted.

From an asteriskathome_backup.tar.gz file
Make sure you have a backup downloaded from AMP - maintenance - backup... asteriskathome_backup.tar.gz .
Use Winscp(or some other file transfer) to copy the backup to the /var/lib/asterisk/backups directory on your * box.
Log in as root and navigate to the directory in which you placed the backup.
This next step is immediate and doesn't ask for confirmation!
At the command line enter this command: restore-aah asteriskathome_backup.tar.gz



3.13.3 Backup storage


Store backups on a NFS file system
How to export NFS file system isn't covered here.

mount linux.box.com:/var/backup /mnt/backup
Connects to NFS /var/backup on linux box linux.box.com and mount it in the local directory /mnt/backup/.
OBS the directory /mnt/backup/ must exist!
Not complete!

Store backups on a Windows share
How to create windows shares isn't covered here. Note by default smbclient / smbmount is not installed, run the following at the shell to install:

yum -y install samba-client

Smbmount is assuming that the user that is used to connect to the windows user is the user specified in the variable USER.

smbmount //winbox/c /mnt/backup
Connects to Windows share c on the PC winbox and mount it in the local directory /mnt/backup/.
After enter the user is prompted for password.
OBS the directory /mnt/backup/ must exist!

smbmount //winbox/c /mnt/backup -U=WINUSER
Same as the example above but here we also specify the user with the parameter -U=WINUSER
After enter the user is prompted for password.

smbmount //WINUSER:PASSWORD@workgroup/winbox/c /mnt/backup
This example is most suited for script because there is no need to type the password

To make your windows share available after reboot add the following line in the /etc/fstab file
//ntserver/share /mnt/backup smbfs username=username,password=password 0 0

Store backups on ftp servers



3.14 UPS Backup


Because your phones need to work under even the most demanding circumstances, it is recommended that a UPS be installed to maintain power to the AAH server and if possible the network equipment as well. Installation of the APCUPSD daemon will allow the AAH server to monitor the power status of most APC UPS units, and will initiate a clean powerdown after a specified amount of time. As of this writing, binaries are only available for Red Hat, FC4, and SuSE distros. For CentOS the package needs to be built from source. The APCUPSD daemon project is hosted at: http://www.apcupsd.org/ This website also provides a wonderful PDF Manual that covers installation, configuration, and troubleshooting. It is strongly recommended that the PDF manual be read or at least skimmed prior to using this software. The steps below are the bare basic steps needed to make the software function and assume that everything works correctly. Refer to the PDF document at the APCUPSD website for troublshooting should problems occur.

1. Add the following to /etc/udev/rules.d/50-udev.rules:
 
BUS="usb", SYSFS{idVendor}="051d", NAME="usb/hiddev%n" 

2. Unplug the USB cable and plug it again.

3. Compile and install apcupsd:
 
yum install gcc-c++ 
cd /usr/src 
wget http://internap.dl.sourceforge.net/sourceforge/apcupsd/apcupsd-3.13.9.tar.gz 
tar xvzf apcupsd-3.13.9.tar.gz 
cd apcupsd-3.13.9
CFLAGS="-g -O2" LDFLAGS="-g" ./configure --enable-usb --with-upstype=usb --with-upscable=usb --prefix=/usr --sbindir=/sbin --with-cgi-bin=/var/www/cgi-bin --enable-cgi --with-css-dir=/var/www/docs/css --with-log-dir=/etc/apcupsd --enable-pthreads --enable-powerflute
make install


If you have Webmin installed, make sure that the APCUPSD daemon is configured to start up at boot. Also, configure the BIOS power settings to reboot the computer when AC power is restored following a power loss related shutdown.


3.15 Using HTTPS


HTTP authentication is inherently flawed in that passwords are sent Base64 encoded. This can be easily reversed and should not be considered secure. For a PBX that may be internet accessible, or for the security conscious administrator, here are the instructions for forcing all connections to be passed through an SSL/HTTPS connection.

At the command line, type:

yum -y install mod_ssl

Then you need to edit the Trixbox Apache configuration:

nano /etc/trixbox/httpdconf/trixbox.conf

At the bottom of this file, add the following:

<VirtualHost *:80>

Redirect / https://<INSERT YOUR SERVER NAME OR IP HERE>/

</VirtualHost>

Replace the <INSERT YOUR SERVER NAME OR IP HERE> with the actual resolvable server name or IP address associated with your Trixbox. In my case, it was 10.1.1.10. This is the same IP address or name that you use when configuring Trixbox via the web, or accessing the command line. After you have edited and saved that file, type:

service httpd restart

Voila! You are done!



Chapter 3 Securing your Asterisk@Home Server

While the network connection is unplugged or at least connected to a hub or switch with nothing else connected to it, we can now change our default passwords without worrying about being hacked. It's very easy to enter and control ANY type of server that have their default logins and passwords unchanged. Asterisk@Home is no different. It would be a good idea to write these passwords down and store them in a VERY secure location. It's not such a good idea to store them on your PC.

3.1 Giving your Asterisk@Home Server a static IP address

To change all of our default passwords, we will give our Asterisk@Home server a static IP address. You don't want to give your server a dynamic address because of the port forwarding you'll need to do from your firewall/router. You can give it a temporary one now and change it later. It's all up to you. At the CentOS command line type:

netconfig

A semi-graphical screen appears that can be explored by using the "tab" button. Enter all the requested information and tab to OK once you're done. After returning to the CentOS command prompt, type:

reboot

To reboot the server.

NOTE: Lets say you aren't confortable in just listing 1 DNS server. After all, that one DNS server in there may go down leaving A@H nothing to resolve names with. To add another DNS server (or as many as you would like) type this at the command line:

nano /etc/resolv.conf

This file lists the name servers for the A@H server. Go ahead and enter your name servers. For example:

nameserver 64.232.128.2

nameserver 209.125.236.3

Than press CTRL-X, and type in Y, hit enter. You'll be asked for the file name you want "File Name To Write: resolv.conf", so hit enter.



3.2 Changing your default CentOS Password

The latest version of the A@H installer requires you to set a password for root. If you would like to change it later, type the following command at the CentOS command prompt:

passwd

You will be asked to enter your old password and to type in your new password twice.



3.3 Changing your default FreePBX Password

To access AMP type the following into your web browser:

HTTP://PutYourAsterisk@HomeIpaddressHere

The default login and password for a newly installed FreePBX (formerly known as AMP) is:

Username: maint

Password: password

To change the default password at the CentOS command prompt type the following command.
(note, this command is not really part of CentOS but a script that comes with A@H)

passwd-maint

You will see the following appear:

-------------------------------------------

Set password for AMP web GUI and maint GUI

User: maint

-------------------------------------------

New password:

Re-type new password:

Updating password for user maint

It will ask for a new password. Then it will ask to confirm your new password.


You can also change the password for a second, lower priviledge default user called wwwadmin password by using:

passwd-amp

You will see the following appear:

-------------------------------------------

Set password for AMP web GUI and maint GUI

User: wwwadmin

-------------------------------------------

New password:

Re-type new password:

Updating password for user wwwadmin

(The difference between the maint and wwwadmin accounts is that the maint will allow you full access in AMP. wwwadmin will not allow you to see the maintenance tab.)


3.4 Changing your default FOP Password

The default password for a newly installed Flash Operator Panel is: (yes the letter "o" is a "zero")

Password: passw0rd

To change this password, log into your CentOS machine using the root login and password and enter the FOP directory by typing:

cd /var/www/html/panel

Using nano as the editor, open the configuration file op_server.cfg

nano op_server.cfg

Go to the line that says security code=passw0rd. Replace the “passw0rd� with the password of your choice.

security_code=whateverpasswordyouwant

For Trixbox 2+?

Using nano as the editor, open the configuration file /etc/amportal.conf

nano -w /etc/amportal.conf

Go to the line that says FOPPASSWORD=passw0rd. Replace the passw0rd? with the password of your choice.

FOPPASSWORD=whateverpasswordyouwant

Then do a CTRL-X to exit and then a "Y" to save changes. Now restart the FOP server.

amportal restart



3.5 Changing your default MeetMe Password

To change the default password for MeetMe type the following into the CentOS command prompt.
(note, this command is not really part of CentOS but a script that comes with A@H)

passwd-meetme

It will ask you for your new password twice.


3.6 Changing your default System Mail Password

To change the default password for System Mail type the following into the CentOS command prompt.

passwd admin

It will ask you for your new password twice.


3.7 Changing your default Sugar CRM Password

You can access SugarCRM from your splash page by typing HTTP://PutYourAsterisk@HomeIpaddressHere into your web browser.
The default login and password is as follows:

Login: admin

Password: password

To change this, click on My Account in the upper right corner, and then click the Change Password button to change your CRM password.


3.8 Securing the ALT-F9 into the Asterisk CLI console #9 feature/security risk

Asterisk has a hidden feature/security risk. On the keyboard you can just press down “Alt� & “F9� simultaneously, then you get access to Asterisk console without having to logon to the actual system and with no * restrictions. This little feature can be considered a security risk if you cannot guarantee the physical security of your asterisk@home server. Go ahead and try on your console to confirm this. At your CentOS console, let's edit the "safeasterisk" file by typing the following:

nano /usr/sbin/safe_asterisk

change

CONSOLE=yes

to

CONSOLE=no

And while you are at it, change the email address as well so you get emails when Asterisk crashes.
The line to change is #NOTIFY=ben@alkaloid.net
change it to:

NOTIFY=your@emailadress.com

Leave the hostname variable alone; it contains backticks around the command "hostname", which causes the machine's current hostname to be automatically included in the crash notification email so you can tell which machine has crashed; quite handy if you have more than one Asterisk box.

MACHINE=`hostname`

Now restart asterisk with the following command:

amportal stop

and then

amportal start

Example from /usr/sbin/safe_asterisk

CONSOLE=no	                # Whether or not you want a console (yes/no)	
NOTIFY=your@email-adr.com	# Who to notify about crashes
MACHINE=yourhostname             #Specify which machine has crashed in email


3.9 Placing a password on the Asterisk@Home Splash page

NEW NOTE: It would be a much better idea to just install Web Admin Interface Upgrade (Admin-UI) (click for very easy step by step instructions). The Admin-UI allows you to choose what links are on the start page (I usually just have the voice mail and meetme conference on the homepage) and a password protected admin page. This is a VERY nice thing to add on to your server.

The Asterisk@Home splash page is the first thing that appears in your browser when you browse to your asterisk@home's IP address. This splash page was added in Asterisk@Home to make it easier to jump to different services that are running.

The splash page contains:

*** Web-access to Voicemail
*** CRM
*** Flash Operator Panel
*** Web MeetMe Control
*** Asterisk Management Portal

It wouldn't be a bad idea to place a password on this page to stop any "curious" employees. The idea behind it this requiring Apache (the web server doing all the heavy lifting for us in CentOS) to get a login and password from a user browsing to the Asterisk@Home Splash Page. Use your own user name instead of "NewUserName". (Note: this can be a real pain because you will be constantly asked for this password when you try to navigate through these pages. Example, to access the splash page you have to enter this new password, to then click other parts of the admin and splash pages, you will find yourself retyping passwords. It can get a bit confusing).

htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName
(Apache will prompt you for a new password for the user name you've just indicated.)

New password:
(Apache will prompt you to retype your new password)

Re-type new password:
(Apache will then confirm the new user)

Adding password for user NewUserName

Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type:
nano /etc/httpd/conf/httpd.conf
Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user).

For Trixbox 2
nano -w /etc/trixbox/httpdconf/trixbox.conf

Now add the following lines:

#Password protect the Asterisk@Home Splash Page /var/www/html

<Directory /var/www/html>

AuthType Basic

AuthName "Restricted Area"

AuthUserFile /usr/local/apache/passwd/wwwpasswd

Require user NewUserName1 NewUserName2 NewUserName3 yaddayaddayadda

</Directory>

To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file.

htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.

/etc/init.d/httpd restart



3.10 Changing your default MySQL Password

The default password for root is: passw0rd

Enter AMP by using typing HTTP://PutYourAsterisk@HomeIpaddressHere (or http://PutYourAsterisk@HomeIpAddressHere/maint, if you have installed WebAdmin) into your web browser Click On AMP ---> Click on Maintenance ---> Click on phpMyAdmin ---> Click on the Database pulldown in the left pane and choose mysql. When the tables display, click on the user table (and a check mark appears by the "user" under the "table" column). Now click the Browse Icon (the first icon under the "Action" Column. If you hover your mouse over it, it will say "Browse".

The entry we care about is the second one: asterisk1.local for root user access.

If your password field is blank, you’ve got a serious security problem. What this entry means in layman’s terms is anyone on the Internet can connect to your MySQL databases as root with no password.

Click on the pencil beside the second record (asterisk1.local - root).
When the record displays, click on the function pulldown in the password row and choose PASSWORD.
Then make up a password that’s secure and enter it in the password value field. Click Go to save your update.
Now click the Browse tab again and be sure an encrypted password is shown for both root user entries in the table. We don’t care about the blank password for the blank user because you’ll note that all the database privileges are set to N for this account.


You are not yet complete…. myphpadmin will no longer work. To repair this simply go to /var/www/html/maint/phpMyAdmin and edit the file config.default.php (or config.inc.php).

Look for :

(( $cfg['Servers'][$i]['password'] = 'passw0rd'; // MySQL password (only needed ))


Change this to match what was done above, reboot and all is right in the world again…

(This was cut and copied from Ward's Site. It explains what the problem is)
MySQL Security Alert. Recently, we happened to look at how security was set up on MySQL with Asterisk@Home. This may also apply to those using plain-old Asterisk with the Asterisk Management Portal. In any case, you need to check your system NOW! Using the Asterisk Management Portal, go to AMP->Maintenance->phpMyAdmin. Then click on the Database pulldown in the left pane and choose mysql. When the tables display, click on the user table. Now click the Browse tab at the top of the right pane. The entry we care about is the second one: asterisk1.local for root user access. If your password field is blank, you've got a potential security problem. What this entry means in layman's terms is anyone on the Internet can connect to your MySQL databases as root with no password. The only roadblock is being able to spoof the default hostname of your Asterisk@Home server. And hostname spoofing has been a reported vulnerability of MySQL so it's just not worth taking a chance. Keep in mind that all of your VoIP account usernames and passwords are stored in a MySQL table when you use the Asterisk Management Portal (AMP). Not a healthy situation when it's your wallet that's at risk. To fix the problem permanently, just click on the pencil beside the second record. When the record displays, click on the function pulldown in the password row and choose Encrypt. Then make up a password that's secure and enter it in the password value field. Click Go to save your update. Now click the Browse tab again and be sure an encrypted password is shown for both root user entries in the table. We don't care about the blank password for the blank user because you'll note that all the database privileges are set to N for this account. Fixed!


3.11 Changing your ARI (Asterisk Recording Interface) Password

ARI is a new voicemail/recording utility that comes with AMP. Users can login using their extensions and voicemail passwords by using http://Asterisk-IP-address/recordings/. To change the administrator password, in CentOS execute the following command:

nano -w /var/www/html/recordings/includes/main.conf.php

And on line 53 (line 73 in TrixBox 1.0), change your admin password within the quotes.

$ari_admin_password = "ari_password";




3.11 Changing your A2Billing Password

To login to Open A2Billing, go to http://Asterisk-IP-Address/a2billing

Default login details are "root" and "myroot".

Once you login, click on "Administrator" on the left.

Then click on "Show Administrator" under that.

There will be 2 administrators shown. "root" and "admin". Be sure to change both passworeds.



3.11 Changing your host name

Asterisk@Home installs with a default Hostname of Asterisk1. You might want to change this to something more meaningful to you. To do this, you must edit the hostname in two files in CentOS

First, edit the hosts file:

nano etc/hosts

You will see the follwing:

  1. Do not remove the following line, or various programs
  2. that require network functionality will fail.
127.0.0.1 localhost
127.0.0.1 asterisk1.local


you can change this to:

  1. Do not remove the following line, or various programs
  2. that require network functionality will fail.
127.0.0.1 localhost
127.0.0.1 nameofpbx.yourdomain.com


Second, edit the network file:

nano etc/sysconfig/network

Change
HOSTNAME=asterisk1.local
to
HOSTNAME=yourname.yourdomain.com

reboot



3.12 Updating patches to CentOS

Every OS has patches that need to be applied. Wouldn't be a bad idea to make a ghost or backup your server at this point. From the CentOS command line, run the following command:

yum -y update

Additionally, you could setup automatic updating; however, be aware that this could cause issues with a production system.

chkconfig yum on

service yum start


3.13 Backup and restore of Asterisk@Home

Now when you have invested some hours and work, now it's time to secure it for the unpreventable hard disk crash. As a wise man said, "there are two types of hard drives, the one that has crashed and the one that is going to..."


Backups created by AMP is stored un the folder /var/lib/asterisk/backups/daily
This folder has to be created and rights have to be set.

mkdir /var/lib/asterisk/backups

mkdir /var/lib/asterisk/backups/daily

chown asterisk:asterisk /var/lib/asterisk/backups

chown asterisk:asterisk /var/lib/asterisk/backups/daily


3.13.1 Backup

How to create backups with AMPortal
Under the menu Setup (or Tools) there is a submenu Backup and Restore. If you don't see Backup and Restore, go to Tools, Module Admin and use the interface to enable the Backup and Restore module.

From Backup and Restore, choose Add Backup Schedule
Give the backup schedule a name and choose what parts of the system you would like it to backup.
From the pulldown menu below the choices, choose Now to make a backup as soon as you push the Submit Changes button (but remember that you may want to go back and set up a regular backup schedule), choose one of the pre-made schedules to backup at a later and repetitive time, or choose Follow schedule below to make your own schedule from the menus below. Click Submit Changes to activate your backup schedule.

How to manually create backups
Using AMP, go to Maintenance, then Backup. Click on Download Backup. You will download an "asteriskathome_backup.tar.gz" file to your usual internet download directory. This does not backup the root, maint, amp, admin, meetme passwords but does save the FOP, SugarCRM, A2Billing, and SQL DB passwords. It also does not backup custom recordings or custom music on hold files.



3.13.2 Restore

From AMP, from a scheduled backup
To restore a scheduled backup, in AMP click Maintenance, then Backup & Restore, then Restore from Backup.
A list of backup schedule names should appear. Find the backup you would like to restore, then click on the backup file.
Choose which set of data you would like to restore, then click yes when prompted.

From an asteriskathome_backup.tar.gz file
Make sure you have a backup downloaded from AMP - maintenance - backup... asteriskathome_backup.tar.gz .
Use Winscp(or some other file transfer) to copy the backup to the /var/lib/asterisk/backups directory on your * box.
Log in as root and navigate to the directory in which you placed the backup.
This next step is immediate and doesn't ask for confirmation!
At the command line enter this command: restore-aah asteriskathome_backup.tar.gz



3.13.3 Backup storage


Store backups on a NFS file system
How to export NFS file system isn't covered here.

mount linux.box.com:/var/backup /mnt/backup
Connects to NFS /var/backup on linux box linux.box.com and mount it in the local directory /mnt/backup/.
OBS the directory /mnt/backup/ must exist!
Not complete!

Store backups on a Windows share
How to create windows shares isn't covered here. Note by default smbclient / smbmount is not installed, run the following at the shell to install:

yum -y install samba-client

Smbmount is assuming that the user that is used to connect to the windows user is the user specified in the variable USER.

smbmount //winbox/c /mnt/backup
Connects to Windows share c on the PC winbox and mount it in the local directory /mnt/backup/.
After enter the user is prompted for password.
OBS the directory /mnt/backup/ must exist!

smbmount //winbox/c /mnt/backup -U=WINUSER
Same as the example above but here we also specify the user with the parameter -U=WINUSER
After enter the user is prompted for password.

smbmount //WINUSER:PASSWORD@workgroup/winbox/c /mnt/backup
This example is most suited for script because there is no need to type the password

To make your windows share available after reboot add the following line in the /etc/fstab file
//ntserver/share /mnt/backup smbfs username=username,password=password 0 0

Store backups on ftp servers



3.14 UPS Backup


Because your phones need to work under even the most demanding circumstances, it is recommended that a UPS be installed to maintain power to the AAH server and if possible the network equipment as well. Installation of the APCUPSD daemon will allow the AAH server to monitor the power status of most APC UPS units, and will initiate a clean powerdown after a specified amount of time. As of this writing, binaries are only available for Red Hat, FC4, and SuSE distros. For CentOS the package needs to be built from source. The APCUPSD daemon project is hosted at: http://www.apcupsd.org/ This website also provides a wonderful PDF Manual that covers installation, configuration, and troubleshooting. It is strongly recommended that the PDF manual be read or at least skimmed prior to using this software. The steps below are the bare basic steps needed to make the software function and assume that everything works correctly. Refer to the PDF document at the APCUPSD website for troublshooting should problems occur.

1. Add the following to /etc/udev/rules.d/50-udev.rules:
 
BUS="usb", SYSFS{idVendor}="051d", NAME="usb/hiddev%n" 

2. Unplug the USB cable and plug it again.

3. Compile and install apcupsd:
 
yum install gcc-c++ 
cd /usr/src 
wget http://internap.dl.sourceforge.net/sourceforge/apcupsd/apcupsd-3.13.9.tar.gz 
tar xvzf apcupsd-3.13.9.tar.gz 
cd apcupsd-3.13.9
CFLAGS="-g -O2" LDFLAGS="-g" ./configure --enable-usb --with-upstype=usb --with-upscable=usb --prefix=/usr --sbindir=/sbin --with-cgi-bin=/var/www/cgi-bin --enable-cgi --with-css-dir=/var/www/docs/css --with-log-dir=/etc/apcupsd --enable-pthreads --enable-powerflute
make install


If you have Webmin installed, make sure that the APCUPSD daemon is configured to start up at boot. Also, configure the BIOS power settings to reboot the computer when AC power is restored following a power loss related shutdown.


3.15 Using HTTPS


HTTP authentication is inherently flawed in that passwords are sent Base64 encoded. This can be easily reversed and should not be considered secure. For a PBX that may be internet accessible, or for the security conscious administrator, here are the instructions for forcing all connections to be passed through an SSL/HTTPS connection.

At the command line, type:

yum -y install mod_ssl

Then you need to edit the Trixbox Apache configuration:

nano /etc/trixbox/httpdconf/trixbox.conf

At the bottom of this file, add the following:

<VirtualHost *:80>

Redirect / https://<INSERT YOUR SERVER NAME OR IP HERE>/

</VirtualHost>

Replace the <INSERT YOUR SERVER NAME OR IP HERE> with the actual resolvable server name or IP address associated with your Trixbox. In my case, it was 10.1.1.10. This is the same IP address or name that you use when configuring Trixbox via the web, or accessing the command line. After you have edited and saved that file, type:

service httpd restart

Voila! You are done!
Created by: GinelLipan, Last modification: Thu 10 of May, 2012 (19:15 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+