SETTING UP ELASTIX ON A SHARED HOSTING PLATFORM WITH FIREWALL

Setting up Elastix on a shared hosting platform like ours is not that different from any other installation. The only key difference is that we host clients on it and that security + monitoring are KEY!

first agenda point, defaulting the config so everone can do this.
We want to have this system secure, so first we will use the intergrated update tool:

yum update
yum upgrade
yum update elastix-* -y
yum update elastix- -y
yum update elastix -y
reboot

after rebooting your system should be up to date.
Next, we start securing the box. I prefer to use fail2ban for this
Install fail2ban, if not installed yet using yum install fail2ban

nano -w /etc/asterisk/sip_general_custom.conf
alwaysauthreject=yes
srvlookup=yes
allowguest=yes
useragent=Something

Now fail2ban, we need to create a file

nano -w /etc/fail2ban/filter.d/asterisk.conf
and add the following lines to it.

[Definition]

#_daemon = asterisk

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named “host”. The tag “” can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#

failregex = NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Wrong password
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – No matching peer found
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Username/auth name mismatch
NOTICE.* .*: Registration from ‘.*’ failed for ‘:.*’ – Device does not match ACL
NOTICE.* failed to authenticate as ‘.*’$
NOTICE.* .*: No registration for peer ‘.*’ (from )
NOTICE.* .*: Host failed MD5 authentication for ‘.*’ (.*)
VERBOSE.* logger.c: — .*IP/-.* Playing ‘ss-noservice’ (language ‘.*’)

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

Edit the

nano -w /etc/fail2ban/jail.conf
file and add the next lines to the bottom:

[asterisk-iptables]

enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
logpath = /var/log/asterisk/full
maxretry = 3
bantime = 600

Check the config with

chkconfig fail2ban
on and start fail2ban with

/etc/init.d/fail2ban start
Thats it for now.