VoIPowering Your Office with Asterisk: Securing Your Server

With out test
lab
up and running, it’s time to lock down our Asterisk server, and that
begins with secure passwords.

[email protected] ships with a bunch of default passwords that many people know.
Moreover, it sends server administration traffic in the clear, rather than over
HTTPS. This means that anyone on your local network could easily sniff out all
those passwords after you go to the trouble of changing them. OpenSSH should
be configured to use RSA key pairs instead of the root system login, which is
both more secure and more convenient. Today’s and next week’s installments will
tell all about how to do these things. Disconnect your Asterisk server from
the network, and away we go.

Password management
Strong passwords are fundamental defenses against intrusion. The world is chock-full of automated password crackers that crack easy passwords in seconds. Passwords should not be words, names, places, birthdates, Social Security numbers, or pet names. In other words, nothing that will be found in a dictionary, and nothing that can be related to you in any way. Cracker dictionaries even include common misspellings. Random sequences of letters, numbers, and punctuation marks are best, no fewer than eight characters.

How do you keep track of passwords? Do yourself a favor and ignore all the bad advice about memorizing them and never writing them down. Write them down and keep them in a safe place, like your wallet or a locked drawer. You don’t have to take my word for it; no less a security guru than Bruce Schneier recommends this.

First we’ll take care of the more important passwords and security holes.

CentOS Linux Password
The default login on your [email protected] server is user “root”; the password
is “password.” This is the most important password of all, because this is the
key to the kingdom. Log in on the command-line of the server and run the passwd
command:

# passwd
Changing password for root
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

passwd is a standard Linux command. All the rest of the password commands are [email protected] commands.

Asterisk Management Portal password
While you’re still on the command line, run the passwd-maint script to change the password for the maint user, which controls AMP:

# passwd-maint
-------------------------------------------
Set password for AMP web GUI and maint GUI
User: maint
-------------------------------------------

New password:
Re-type new password:
Updating password for user maint

A related user is wwwuser which also has AMP access, except it is blocked from using the Maintenance tab. Change it with this command:

# passwd-amp


Disable Alt+F9
Hitting Alt+F9 on the Asterisk server bypasses the root login and takes you directly to the administration console, which does all the same things as AMP, but without all the pretty graphics. You might leave this alone if you are confident in your physical security. Remember the ancient Unix security dictum: “Anyone with physical access to the box owns it.” To disable it, do this:

# nano /usr/sbin/safe_asterisk
CONSOLE=no

 

Using the Nano Text Editor
The Nano text editor commands are displayed on the screen when you
open it; to get more help hit ^G, which means the Control key plus the
letter g, lowercase. Don’t bother trying to make it a capital G, even
though it is displayed that way. The Nano man page (*man nano*) may be
helpful.

Just to keep it interesting, some commands do require using the Shift key,
like the command to navigate to a specific line number, which is is ^_, or Control
Shift Underscore.

Commands like “M-Y” mean Alt key plus y. M stands for Meta key. Why not just
say Alt key? On old Sun systems the Meta was a key marked with a diamond, and
on Macintosh it’s the Command key. On modern systems some users prefer to use
a custom keyboard mapping, so the Meta key is wherever they choose to put it.
But for most of us, it’s the Alt key.

ARI (Asterisk Recording Interface) Password

# nano -w /var/www/html/recordings/includes/main.conf

On line 53, change the admin password within the quotes:

$ari_admin_password = "ari_password";


Hit ^w to search for “ari_password”, or ^_ to go directly to line 53.

If you’re thinking “Um, storing passwords in plain text is not a good idea,”
you are correct. But that’s the way it is for now, so guard your root password
and Asterisk server well.

Flash Operator Panel (FOP) password
Close out the /var/www/html/recordings/includes/main.conf file with ^X, then hit Y to save your changes. Then:

# nano -w /var/www/html/panel/op_server.cfg


Down near the end of the file, change the password on this line:

;security_code=passw0rd

MeetMe password
Exit Nano and run this [email protected] command:

# passwd meetme

System Mail password
Use this command:

# passwd admin

A2Billing password
Go to http://[your-Asterisk-IP]/a2billing and log in with “root” and “myroot”. Go to Administrator – Show Administator to change both the default user passwords.

Sugar CRM Password
Click “CRM” on the [email protected] splash page. Login with “admin” and “password”, then click “My Account on the upper right to set a new password.

Come back next week to learn how to finish locking down [email protected]

Resources
[email protected]
My very own Linux Cookbook is designed for beginning-to-intermediate Linux system administrators and users

Latest Articles

Follow Us On Social Media

Explore More