VoIPowering Your Office with Asterisk: Securing Your Server
Before it becomes your working phone system, you need to take steps to make sure that only authorized personnel (you) can access the inner workings your Asterisk server.
With out test lab up and running, it's time to lock down our Asterisk server, and that begins with secure passwords.
Asterisk@Home ships with a bunch of default passwords that many people know. Moreover, it sends server administration traffic in the clear, rather than over HTTPS. This means that anyone on your local network could easily sniff out all those passwords after you go to the trouble of changing them. OpenSSH should be configured to use RSA key pairs instead of the root system login, which is both more secure and more convenient. Today's and next week's installments will tell all about how to do these things. Disconnect your Asterisk server from the network, and away we go.
Strong passwords are fundamental defenses against intrusion. The world is chock-full of automated password crackers that crack easy passwords in seconds. Passwords should not be words, names, places, birthdates, Social Security numbers, or pet names. In other words, nothing that will be found in a dictionary, and nothing that can be related to you in any way. Cracker dictionaries even include common misspellings. Random sequences of letters, numbers, and punctuation marks are best, no fewer than eight characters.
How do you keep track of passwords? Do yourself a favor and ignore all the bad advice about memorizing them and never writing them down. Write them down and keep them in a safe place, like your wallet or a locked drawer. You don't have to take my word for it; no less a security guru than Bruce Schneier recommends this.
First we'll take care of the more important passwords and security holes.
CentOS Linux Password
The default login on your Asterisk@Home server is user "root"; the password is "password." This is the most important password of all, because this is the key to the kingdom. Log in on the command-line of the server and run the passwd command:
Changing password for root
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully
passwd is a standard Linux command. All the rest of the password commands are Asterisk@Home commands.
Asterisk Management Portal password
While you're still on the command line, run the passwd-maint script to change the password for the maint user, which controls AMP:
Set password for AMP web GUI and maint GUI
Re-type new password:
Updating password for user maint
A related user is wwwuser which also has AMP access, except it is blocked from using the Maintenance tab. Change it with this command:
Hitting Alt+F9 on the Asterisk server bypasses the root login and takes you directly to the administration console, which does all the same things as AMP, but without all the pretty graphics. You might leave this alone if you are confident in your physical security. Remember the ancient Unix security dictum: "Anyone with physical access to the box owns it." To disable it, do this:
# nano /usr/sbin/safe_asterisk
Using the Nano Text Editor
The Nano text editor commands are displayed on the screen when you open it; to get more help hit ^G, which means the Control key plus the letter g, lowercase. Don't bother trying to make it a capital G, even though it is displayed that way. The Nano man page (*man nano*) may be helpful.
Just to keep it interesting, some commands do require using the Shift key, like the command to navigate to a specific line number, which is is ^_, or Control Shift Underscore.
Commands like "M-Y" mean Alt key plus y. M stands for Meta key. Why not just say Alt key? On old Sun systems the Meta was a key marked with a diamond, and on Macintosh it's the Command key. On modern systems some users prefer to use a custom keyboard mapping, so the Meta key is wherever they choose to put it. But for most of us, it's the Alt key.
ARI (Asterisk Recording Interface) Password
# nano -w /var/www/html/recordings/includes/main.conf
On line 53, change the admin password within the quotes:
$ari_admin_password = "ari_password";
Hit ^w to search for "ari_password", or ^_ to go directly to line 53.
If you're thinking "Um, storing passwords in plain text is not a good idea," you are correct. But that's the way it is for now, so guard your root password and Asterisk server well.
Flash Operator Panel (FOP) password
Close out the /var/www/html/recordings/includes/main.conf file with ^X, then hit Y to save your changes. Then:
# nano -w /var/www/html/panel/op_server.cfg
Down near the end of the file, change the password on this line:
Exit Nano and run this Asterisk@Home command:
# passwd meetme
System Mail password
Use this command:
# passwd admin
Go to http://[your-Asterisk-IP]/a2billing and log in with "root" and "myroot". Go to Administrator - Show Administator to change both the default user passwords.
Sugar CRM Password
Click "CRM" on the Asterisk@Home splash page. Login with "admin" and "password", then click "My Account on the upper right to set a new password.
Come back next week to learn how to finish locking down Asterisk@Home.