Linode Forum

[sednet]

I know a few of you have Asterisk running on a Linode. I was wondering if it's possible to get Trixbox running on one?

Has anyone done this? It looks like trixbox uses a custom kernel so that may be a problem.


( Yes I know trixbox is the dummy way to setup asterisk and I should do it the hard way. )

EDIT: I notice there is a StackScript for Asterisk 1.8 + Freepbx 2.9. Anyone using this?

[Alohatone]

27 people running it.

63 deployments | 27 still active| last revision 3 months ago

its probably better than trixbox in that its freepbx.

its also easily upgraded with yum.

we made it pretty much an appliance to run on linode. Just too bad fremont wasn't stable enough for us and no other data center is close enough to hawaii.

[sednet]

Freepbx stackscript it is then.

Trixbox doesn't look too easy to secure for the internet. Default passwords everywhere, it can't be yum updated without hitting odd dependency issues.

[sednet]

sednet wrote: Freepbx stackscript it is then.


And it installs very nicely. Then it starts up internet facing mysql and web with a default web username and password combination of admin/admin. Very scary. It seems to be very difficult to change that login.

Maybe I'm doing something really dumb here.. Anyone know what's the right way to change the web login password for freepbx?

[Alohatone]

that script is a barebones model to get it going

Use basic linux security concepts.
enable iptables and lock that server down
install fail2ban

if you ban everything and then just allow only what you want through (ports / source ips) the server can be very secure with minimal effort.

[Alohatone]

to change the admin/admin login

go into free pbx ---> setup---->Administrators

on the right hand side, select the 'admin' user and then you can change the password for the login to freepbx

[sednet]

Alohatone wrote: that script is a barebones model to get it going

Use basic linux security concepts.
enable iptables and lock that server down
install fail2ban

if you ban everything and then just allow only what you want through (ports / source ips) the server can be very secure with minimal effort.

The problem is that this thing comes up with mysql and web open to the internet with default passwords. Sure I can secure it after it's up and check the logs but how can I be sure it's not too late then?

This stackscript would be improved by setting a user provided web password and a random database password. I've no idea how to do that though, this is the first time I've ever used a stackscript.

I'd never use fail2ban BTW. I don't really think it improves security.

EDIT: Security paranoia not withstanding asterix/freepbx work like a dream. I had a phone number working and forwarded to a SIP phone in about 2 minutes.

[Alohatone]

sednet wrote: Alohatone wrote: that script is a barebones model to get it going

Use basic linux security concepts.
enable iptables and lock that server down
install fail2ban

if you ban everything and then just allow only what you want through (ports / source ips) the server can be very secure with minimal effort.

The problem is that this thing comes up with mysql and web open to the internet with default passwords. Sure I can secure it after it's up and check the logs but how can I be sure it's not too late then?

This stackscript would be improved by setting a user provided web password and a random database password. I've no idea how to do that though, this is the first time I've ever used a stackscript.

I'd never use fail2ban BTW. I don't really think it improves security.

EDIT: Security paranoia not withstanding asterix/freepbx work like a dream. I had a phone number working and forwarded to a SIP phone in about 2 minutes.

We had the script asking for a password and what not, but that turned out to be more complicated and this script makes it more like an appliance which allows for very very easy backups and restores...

as for security, you just have to lock it down. or contract someone to lock it down for you...

[sednet]

[quote="Alohatone"][quote="sednet"] Alohatone wrote:
as for security, you just have to lock it down. or contract someone to lock it down for you...

I'm quite capable of securing Linux, that's not the problem. The problem is that once a machine hits the net with a predictable username and password combination it's only a matter of when it's going to get cracked, not if. It would be dead easy to keep rescanning linode's IP space for new installs, automatically log in, and then you are one PHP exploit away from a cracked machine. Sure I can login from LISH and bring down eth0 in under 5 seconds but automated tools could well exploit the box in under 1 second.

It would be very nice if there was some easy way to set the freepbx password from the stack script. But yes, freepbx is a mess in that regard, it doesn't look easy to do.

I'm not sure why this install has mysql binding all addresses. Only binding localhost is fine for freepbx.

[db3l]

sednet wrote: Sure I can login from LISH and bring down eth0 in under 5 seconds but automated tools could well exploit the box in under 1 second.
Does installing from the stackscript automatically boot the machine? I thought that was still a separate step.

If it's separate, then you're still in control of the window of exposure. One option is to just lock things down through a recovery/finnix boot (even if just to disable the ethernet interface) before booting the deployed image the first time.

If you want, another approach would be to just take the existing stackscript and tweak it slightly to keep the ethernet interface down by default, giving you a shot to make other changes.

-- David

[Alohatone]

If you are afraid of a compromise in 5 seconds, this script is not for you. You probably are more than capable of running your own install from scratch.

our original script needed inputs (username / password) , which some users did not like, thus we made it an appliance and easy.