It’s a fact of life that as soon as a server is connected to the Internet, it will be attacked within minutes from a variety of directions.
Usually this is nothing more than a minor annoyance, but should entry be gained, then it can become far more serious, not only to your server resources but also to your wallet, your reputation, and potentially your liberty, imagine if illegal pictures and documents are stored on your server.
So it’s important on a variety of levels to secure your Internet facing server as best as you can. In this article, we are going to concentrate on securing Newfies-Dialer.
The first point to raise is what do you need to install on your Newfies-Dialer server, the more Internet facing services you install on the server, the larger the attack surface area, and the greater opportunity for attack. As a general rule, less is better. Our script only installs what is necessary.
Newfies-Dialer needs to be accessible from the outside world to SSH, so you as the administrator do general administration and apply updates. Also, you need to be able to access the web interface installed on port 8008 and possible port 80. Freeswitch also needs to be installed to make outbound calls. Out automated script will do all this for you.
SSH is a protocol by which one can remotely manage a server at the command line. It enforces end to end encryption, so usernames, passwords and data cannot, pragmatically, be captured and interpreted.
There are different methods of authentication which SSH can use. Username and password authentication, or via a public / private key partnership.
We prefer the public / private key partnership, because as long as your private key is safe, then so is SSH access. for all practical purposes, you cannot hack SSH with a private / public key without access to the keys. It’s more convenient as well, you don’t have to remember different passwords.
There are many guides on the Web for setting up key pairs and how to use them in your own client such as PuTTy. We advise that you take advantage of these.
Stop or Slow Down SSH Attacks.
Simply using key pair authentication will not prevent people from trying to attack your server, with the resultant load on your server, logs to audit, and so on. So to defend against people attacking your system, there are a number of strategies.
- Iptables: Restrict access from only the IP addresses you are likely to access from. This can be a problem for people on dynamic addresses or who travel, so you can also consider VPN or port knocking with this as well.
- Iptables rate limiting, you can set up iptables to only allow say 3 connections per minute, this slows down brute force attacks.
- IDS: Intrusion Detection such as Fail2Ban or OSSEC. We favour OSSEC as it checks for changes in system files as well.
- Change SSH ports: we prefer that software should be intrinsically secure, and for ease of maintenance, we also prefer standard ports, as in emergencies, you cannot always guarantee that you can access via the given port, e.g. from a corporate or public network.
If you take some or all of the above measures then you can be confident that you have done the best you can, and it is likely that the potential hacker will move on to the next target.
Newfies-Dialer UI Security
To a large degree, you are reliant on our skills in respect of the security of the Newfies-Dialer interface, and the developers of the web application framework, Django on which Newfies-Dialer is built. Django has been in production for many years over thousands if not millions of sites, so it has been thoroughly peer reviewed to be the best it can be.
However, pragmatic though this approach may be, there are security releases from time to time, so it is a mistake to put all your trust other people doing things right, unexpected bugs can creep in and new vulnerabilities are being discovered all the time, so a layered defence is still worthwhile.
Newfies-Dialer is generally accessed by only a few people, usually you and your customers. As previously described, you can use geographic iptables to limit access to only those people who need access. If this is not possible, at least reduce access to people in your own country. It’s not perfect, but it does reduce the number of people who can launch an attack.
Although probably too burdensome for clients, if you are running Newfies-Dialer on your own behalf on a private network, you can consider accessing the UI via VPN or SSH tunnel from outside your internal network. From inside, you can access the system in the normal way.
The IDS you installed to protect SSH will also be useful here as well.
Customer Data Security
We recommend that any server that holds customer data should have the web interface protected with an SSL certificate, to thwart attackers eavesdropping on usernames and passwords and other data. That data could be used to compromise the customer, or be used to launch millions of calls to premium rate numbers.
SSL certificates are a way of encrypting the data sent between your PC and the server you are talking to. they also confirm that the server you are talking to is the server you expect to be talking to, and not a fake site set up for the purposes of stealing your information. Any site that stores personal data should come with an SSL certificate, and you should see the little yellow padlock in your browser confirming they are who they say they are.
When you are on any public network. e.g. Wifi, or your data traverses networks that are not physically secure, anyone with a network sniffer can record a stream of your data, and from it, if not encrypted, can copy every single piece of information you have seen, each document you send, listen to unencrypted VoIP conversations,, as well as extract the username and password you used to get that information. It’s frighteningly easy!
It makes sense for anyone to encrypt all data passing over public networks, but you, as the server administrator, are not responsible for how people connect to you, but you can easily ensure that the data you are responsible for is encrypted end to end, simply by installing an signed authorised SSL certificate on your server for very little cost and ensure your customers use the HTTPS address.
How it works
The way that SSL encryption communicates is elegant, secure and simple. It can be explained by the the following analogy:
Imagine a box with places to put two padlocks on it –
- You put your data in the box, lock it with your padlock, and keep the key, then send it to the person you are communicating with.
- They put their padlock on your box, keeping their key, and send it back to you with both padlocks attached.
- When you receive the box, you remove your padlock, and send the box back again.
- Now the person you are communicating with can remove their padlock, open the box, and take out your data.
During the process or transmission, no-one can read your data even if they intercept it, it’s always had one or two padlocks on it. It is secure end to end. They send information back to you using the same process in reverse.
Clearly this is done with electronically, the above is only an analogy. But, you can see that each piece of data has to traverse the network twice, and there is some overhead from encryption.
However, on modern powerful servers, with good broadband, the advantages of not having your data exposed to the world as it traverses networks outweighs these minor disadvantages, and in any case, Newfies-Dialer is not usually a high volume website, so the loads are not heavy.
Where do I get certificates from?
The certificate that proves the server is who they say they are is issued by a certificate authority, who effectively vouches that the server is the one they say it is. There are many certificate authorities who will issue you a certificate for a small annual cost.
It is possible to self-sign the certificate, which will have the effect of encrypting the data, but the trouble is that they are not trusted, so you cannot be certain who you are talking to.
Purchasing and Installing a Certificate
Purchasing and installing a certificate is cheap and easy and if you are running Newfies-Dialer accessible to the public, you owe it to yourself and your customers to ensure that the information they send and receive from you cannot be intercepted and used against them. It’s easy and cheap.
Prepare your server by setting up your desired DNS entry, e.g. www.star2billing.com pointing at your server, and updating WHOIS records.
- Generate a CSR (Certificate Signing Request) which is usually done on your server to uniquely identify your server.
- Send your CSR along with your name, FQDN and other information to the Certificate Authority
- They will validate your domain and company and send you your certificate.
- You configure your server to use the certificate they sent you.
The main vulnerability to Freeswitch is via SIP, and we have ensured that in a default configuration, people cannot either register to Freeswitch or dial in to make calls. However this does not stop them trying, which at best is a nuisance when trying to debug gateways.
Securing Newfies-Dialer from SIP attacks is ludicrously simple. Newfies-Dialer only makes outbound calls, it is not designed to receive calls inbound. Therefore you can block every single inbound port with iptables apart from SSH (for maintenance) and 8008 for the customer and administration web pages.
Even though Freeswitch has to communicate with your SIP provider, as it is Freeswitch that initiates the connection, iptables do not block SIP replies from your provider because you have invited replies from your provider.
Iptables will however block anything uninvited apart from the ports mentioned above for control and management.
We don’t install all the security features we mention above in our standard Newfies-Dialer installation script, as many systems administrators have their own ideas and anything we do may inadvertently render their security null and void, or block access to their server completely.
So this is something you must do for yourself once you have installed Newfies-Dialer.
If you find all of this a bit daunting, then Star2billing will be happy to assist you with any of the aspects listed above, and we do include some of the defences we recommended above in our installation, training and deployment support package.