Setting up Elastix on a shared hosting platform like ours is not that different from any other installation. The only key difference is that we host clients on it and that security + monitoring are KEY!
first agenda point, defaulting the config so everone can do this.
We want to have this system secure, so first we will use the intergrated update tool:
yum update elastix-* -y
yum update elastix- -y
yum update elastix -y
after rebooting your system should be up to date.
Next, we start securing the box. I prefer to use fail2ban for this
Install fail2ban, if not installed yet using yum install fail2ban
nano -w /etc/asterisk/sip_general_custom.conf
Now fail2ban, we need to create a file
nano -w /etc/fail2ban/filter.d/asterisk.conf
and add the following lines to it.
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# Values: TEXT
failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Device does not match ACL
NOTICE.* failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ (from )
NOTICE.* .*: Host failed MD5 authentication for ‘.*’ (.*)
VERBOSE.* logger.c: — .*IP/-.* Playing ‘ss-noservice’ (language ‘.*’)
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
nano -w /etc/fail2ban/jail.conf
file and add the next lines to the bottom:
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, email@example.com]
logpath = /var/log/asterisk/full
maxretry = 3
bantime = 600
Check the config with
on and start fail2ban with
Thats it for now.