The Official OSDial Forum

[fadmin]

Recently we have seen a few instances where systems were hacked and used to make overseas calls.

Traditionally we have been leaving security to the owner of the dialer, not counting that we follow and implement the security updates from Asterisk/Digium and other Linux applications, very closely. (Asterisk is the built-in phone system, or PBX.)

The dialer includes a firewall which is not activated by default as people then end up having issues connecting until they figure out how their network is set up.

Running (as root)

yum clear all;yum update

will give you the latest version which may very well include security updates, which could resolve the above remote access issue. If you have had periods of making a lot of calls in a short period of time, a database update could potentially take many hours. (The longest update we have seen started on Friday at 10pm and completed at 8:30am Monday morning.) You can read here on how to identify if the update will bring in changes to the SQL http://callcentersg.com/updates.php.

Even though most updates goes very quickly, you should be aware of the potential of a prolonged down time. You can always have us estimate the length of your update.

To make it easier to lock down the system we are going to release a new function which will basically allow you to implement levels of network security. Note that securing a device, such as the dialer, is entirely the responsibility of the owner of the system. In no way can we guarantee any security, but we strive to assist towards improved security.

The modes will be:

lockdown – no access of any kind in or out
standard – only outbound traffic allowed
support – only outbound except inbound from us
insecure – open access for all

There may be additional custom changes that needs to be done, such as allowing certain carriers to communicate with your system. If you have agents that are external to your network that will require customization. (These should be done inside one hour of support.)

The idea is to give the majority an easy way to a higher level of security. Security is a trade off, a balancing act someplace between total security, where nothing works, and no security, where anything can be done by anyone.

With organized crime being very active financing online criminals this is no time to be lax with security.

[contctbin]

Thanks for the info about these security modes in Open Source Dialer. It is important to have these features because hackers are everywhere. I find this application very useful in call centers. Very informative post.

[sentm]

There are so many different scenarios out there that security does become a problem.


There is a script in /usr/share/doc/osdial-[version] called firewall.sh. This script is fairly automatic, but it can be modified for some of your specific needs, ie allowed carrier IPs, etc.

Steps:
1. Edit firewall.sh script.
2. Run the script. ./firewall.sh
3. Test the connection, and place a few test calls.
4. Save the script for startup... "service iptables save"

[Amingenag]

You probably very clever? or cunning?

[sentm]

No, mostly dashing and daring.

[DhwaniTechnologies]

Ok, I know I am replying very late but I want to make sure anyone looking for some answers in the future will benefit from this thread. I have had instances of someone using our SIP minutes to call places I haven't even heard of, I hope that doesn't happen to you. But if it does, only *you* will be responsible for your loss.

There are a few things you need to do to secure your new Osdial/Vici installation.

1. De-activate all phones and users which are enabled by default
2. Change the default password for all users/phones
3. Change the port number for Asterisk, make sure your provider supports custom ports
4. Create custom dialplans with unusual prefixes, these will behave like passwords, also change the prefix in the campaign to match this
5. Enable Iptables and add a whitelist to allow traffic only from trusted IP addresses

[fadmin]

Bare in mind that security by obscurity is not security. Your system should have several layers on your security "onion". Replacing the port with a non standard one is a waste of time and only adds to a false sense of security. If your hacker is so clueless that he cannot run a port scan, the other layers of your security should easily stop him.
If, however, he knows that much then all you have accomplished is making things harder for yourself.

[DhwaniTechnologies]

No, mostly dashing and daring.

Lol, good one!

ps - i hope you realize that was a spam message!

[fadmin]

No spam, it was intended to generate a smile.

[DhwaniTechnologies]

Just an extra tip to the readers, using VPN for remote logins is a great option. You don't need to open your server to the public on the Internet but you can login remotely and work as if you were in the office. Highly recommended!

[leaperconn]

It appears that infiltrated.net has modified the location of their voipabuse blacklist. The current firewall.sh contains the link ..
http://www.infiltrated.net/voipabuse/addresses.txt
where the new address should be ..
http://www.infiltrated.net/vabl.txt
If I understand this script correctly, this update will begin to add the addresses collected by infiltrated.net

--------UPDATE-----------
20110722: This needs further review since the header 'host' (if it ever existed) is no longer in this file; when I run this with the change I get the following errors:

[root@myhost ~]# sh firewall.sh
iptables v1.3.5: host/network `#' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `Prior' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `VABL' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `list' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `can' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `be' not found
Try `iptables -h' or 'iptables --help' for more information.
--------END UPDATE-------

[sentm]

The section should be changed to:

Code: Select all

FW_voipabuse() {
        # The VoIP Blacklist Project (voipabuse) http://www.infiltrated.net/voipabuse/
        for host in `wget -qO - http://www.infiltrated.net/vabl.txt | awk -F\| '{ print $1 }'`; do
                IPT "-A voipabuse_in -s $host -j DROP" "Block voipabuse: $label"
        done
}


[dreamelvin]

My business is not a big business. I use "My Sales Dialer" power dialer with my LG mobile for my business calling. I don't use any anti virus. I upload all of my important business contacts in .csv format to this application. This app works offline and I use it with my telecom network. Is there any chances of risk in this system i.e can someone copy my contact list uploaded to dialer/mobile? What security I need to maintain?
thank you

[fadmin]

The very nature of security makes it hard to give an honest and brief answer. (I'm also going to take the opportunity to cover a few points.)

The moment you connect a computer which has valuable information, to the internet in any way, you should ask yourself what would it mean if someone got hold of it, and or removed it from the computer. If the answer is too expensive then you don't do it. Or find some other way of doing it.

There are so many ways that someone can gain access to data that one cannot say anything is totally safe. Security is a matter of balance. You weigh the balance of need to access versus cost if the worst would occur. Driving a car, or getting out of bed, has risks, but we take certain precautions such as looking before stepping off the sidewalk and move on.

Linux, being based on the design of Unix, where simplicity is king, is very modular and lends itself to locking down much easier than for example Windows which is more based on complexity. That does not mean you automatically are safe using Linux.

Security implementation is a matter of layers. Much like an onion. You use properly implemented firewalls, don't leave services open for public, use proper passwords, do security updates, have educated users who have a vested interest in keeping the business secure and knows who to turn to and don't fall for social engineering. (One survey, for example, showed that many would give away passwords for chocholate!) Security is really a matter of being educated about it and willing to stay alert and take action when needed.

Is OSDial secure? That is a very loaded question. We make basic implementations and configurations so that the system is not wide open, but our view is that we are providing a dialing solution and you are responsible for maintaining a secure installation. There are many programs from various people and groups which make up the dialer. In other words we chose a Linux distribution, added and implemented a number of services and on top of all those added our code.

Any one of those programs could having a condition which could result in allowing unauthorized access.

Regardless of size you need to be educated about security, even if simply having conceptual understanding of it. That which you don't see or understand can and often will bite you. Go as far as you can with educating yourself, then have someone with actual history in security help you further along. Ask them lots of questions. Conceptually understand what they are doing. Someone who actually knows their subject can explain it in layman language!

In your post you talk about putting your contact list on the dialer. I would expect that it would not be a "walk in the park" to steal those off the dialer, but I'm not going to stand here and claim that it could not be done. All it requires to make it easy is to not have any firewall in place, or use 'password' (or something similar weak) as your passwords and it's just a matter of time before it is broken into. We take certain steps to limit access, but again it's from the view that you are responsible for your operations. That means you have firewalls, have a proper implementation on how you allow access, especially remote access which brings it's own can of worms.

Imagine you have a good VPN (Virtual Provate Network, which creates a tunnel across an insecure network (internet) between two locations) where one end is at your office and the other is at someone's home. Having that VPN in place you feel very secure. After all it is very very hard to break into the VPN as it passes communications across the internet!

Then what would happen if the home user visits a website which has malware on it? The home computer could become infected and whoever now have remote access to the home computer would have the same access, as that home user has, to your office. Across the secure VPN.

Obviously the VPN cannot protect against that. Not using MAC or Windows on computers connected to the internet might be necessary. Or only use dedicated computers in home locations where all they do is connect over the VPN. No browsing, email, chat or anything at all but connect to the office. Then use another computer for personal internet activity.

Having remote agents means you need at the minimum lock down access from their internet addresses, else the world will come calling...

I know that in the end most people want to hear "security theatre" where there is a play going on which simply says that all is OK. Much like our security theatre in airports. Which is manned by minimum pay labor which have a big pressure on them. The result is not a single terrorist caught at the cost of, well you know what. Abused travellers, agents, ton's of money that could have gone to do honest police work, which is behind every terrorist caught. Yeah, I call it police work when the passenger stopped the "underware bomber" midflight. Willing to take action is a huge part of police work. Does not matter if you are a cop, FBI or any other group, or individual. Look at Israel, everyone growing up is educated about security, and they flourish in a very volatile environment!

The biggest enemy to security is complacency. USA has become mostly a victim of itself, fed by complacency. Guess what, our world famous freedom is being removed because we as a nation did not stand up and take action. Governments WANT to control it's population. That is easiest accomplished by having a police state. Which you only have to look at the east block in Europe to see how well that works.

I've brought up these various points to show that security does not have a simple single solution. Such as adding a firewall and thinking all is safe now. I demonstrated how a perfectly safe solution such as the VPN can easily be turned around and become an enemy tool. I wish I could, in good heart, simply say that your list is safe. I would say that it can probably be safe if reasonable actions and configurations are in place, as covered above. Maybe I should say Not at all! Forcing you to take action. In other words we are not selling a secure dialer, simply giving away a dialer limited only by it's license. If you want security - make sure you have it from a third party, as most developers don't undestand security anyway.

[MichaelPittingerSr]

what about changing the MySQL password, it there a guide for doing it with OSDial

so far:

1. Change "Root' password in CentOS.
2. Change Agent Passwords to unique passwords.
3. Change Phone passwords to unique passwords.
4. Change Admin password unique password.
5. Change MySQL passwords (How many logins are used, what are they and can the passwords be changed?) "we are hardening this dialer for the first rounds of security testing by or FED client.

the dialer sit behind a NAT so we can control all port and traffic. We want to be able to have complete access all functions remotely, and to access MySql remotely.

We really want to test prior to thanksgiving with our security team and a few outside resources and then get the FED security folks to test before Christmas.

Mike

[fadmin]

Besides your (valid) points it requires know how of MySQL and to edit /etc/osdial.conf.

The only way to change the root password and still have things work is to set the root password in the /etc/my.cnf.d/mysql-clients.cnf file...in clear text. Otherwise, mysqladmin stop|start|restart wont even operate correctly (which is called by "service mysqld stop|start|restart".


And on that very good note I'd like to reiterate to specifically use OpenVPN. It is quite likely that it has not been as damaged by lowered security as many of the other VPNs. It is very flexible and you control how tight you want it to be. We use it as a one way VPN in OSDial which allows us to support clients but they in turn cannot come into our server, or our other clients.

As the border gateway firewall we highly recommend pfSense on a standalone server. It uses very low volume of RAM and disk space. Is fantastic when it comes to restoring into new hardware, and general ease of use. Plus it is using the famous firewall from OpenBSD.

We also suggest you subscribe to our Announce list (low volume) http://osdial.com/support/ to keep up to date with news.

[MichaelPittingerSr]

Also I believe the MySQL setup on OSDial requires that you enable the ip address that will try to connect to the MySQL data base if you are using a tool like MySQL Workbench. Just another layer of the "Onion" thank for the My Sql file location for changing passwords, we are going to hold off on MySQL changes until we get done the first part, hardening the CentOS instance.

More later on the results after the hacking team gets done.....

Mike