Sunday, October 21, 2012

Linux Security - Am I Genius ?

This is pretty basic stuff to start securing the Linux servers. The basic concept is to allow only the required ports and block everything else out.
I recently started working on my new personal Hosted PBX project and for that I got a new VPS. So the very first thing I wanted to do was secure my server from any hankers. My server has two interfaces. One interface assigned physically  Public IP on it and other on LAN IP. The only access point inside my two/four server zone is this servers WAN interface (eth0)

Without wasting more time on this, here are the lines which I executed.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -m state --state ESTABLISHED -j ACCEPT

Allow anything that is in ESTABLISHED (already in progress) state.

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
Silently drop incoming ICMP ping requests.Don't let the Auto-scan-bots think that my IP is reachable.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

Allow SSH port into the system.

NOTE: I highly recommend to change the default SSH port to something other than 22. This reduces the Brute force dictionary attacks by 90+% - As an examples I mostly use 3132 or 5152 or 7172 ports for SSH

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

Allow any more ports if required - HTTP port 80 in my case.
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p udp --dport 5060 -j ACCEPT
[root@HBPBX scripts]# iptables -A INPUT -i eth0 -p udp --dport 10000:40000 -j ACCEPT
Since I need to work on SIP/5060 and RTP/10000:40000 so I also allowed the port(s)

[root@HBPBX scripts]# iptables -A INPUT -i eth0 -j REJECT
This is the Main line - Block everything else out.

Security is a Huge HUGE domain in itself and by no means I've done any justice to that topic here. There are many things left out which needs attention before considering somewhat secure.

To Be or Not to be a "Genius"

Make Sure you don't fall into the "Genius" Category like the following.

Not protecting the server at all. Top of the charts Genius.

Or someone like this: Totally blocking everything and hence losing all access.

I'd rather be somewhat Genius and suggest something like this for myself :

Hope you guys enjoyed this quick blog.

Saturday, October 20, 2012

Hosted PBX using FreeSWITCH

"Reinventing the Wheel"  

Only according to my requirements

Though I've made almost two Hosted PBXs and couple of projects with Hosted IVR but those were golden Asterisk times and I feel like I haven't done anything big yet. This time I am fully occupied in my official activities and yet to get the most out of me I'm starting to convert my Hosted PBX solution from Asterisk to FreeSWITCH. Not to mention that the Autodialer using FreeSWITCH I made recently was a big accomplishment and worked flawlessly which gave me motivation for this. 

That Autodialer consisted of  FreeSWITCH, Lua, Perl, MySQL, and Redis. It inspired me to do more but I was somewhat less busy to think of something like this current Project.

Starting with a quick overview. The ideal Hosted PBX should have these characteristics from developers point of view:

1- Scaleable [Extend, Expand, Integrate easily and quickly]
            The structure should be easy to expand as in hardware and extend as in software. Both ways should be easy to integrate with the ongoing structure. 

In HostedPBX Context: I should be able to add as many clients and resellers as I want, add more servers and new nodes into the system and increase my capacity. Any client should be able to use system provided ITSPs or add their own ITSP for their usage. Personally I Like the idea of pooling the services so at any given time adding anything to the pools add overall to the infrastructure. 

2- Performance [Effective code and virtually least possible bottlenecks]
           Use as simple and as intelligently-lazy code as possible, find quick and easy ways to make a module for a particular feature but at the same time keeping in mind that it doesn't closes its doors for extension or integration with other modules/layers.

In HostedPBX Context: Call processing should be as speedy as possible, nothing should keep the caller waiting - Anything thats behaviour of application is excluded from this i.e Queues, Conferences, PDD from Carriers. But there should be no PDD coming from withing the PBX - example a curl function that dumps/retrieves values from web server blocking the call from proceeding further.

3- Accessibility [ Ease of use for everyone]
           Everyone means everyone connected to it which includes developers, administrators, resellers, clients.Any functions/APIs or GUIs should be as easy to work with as possible.

In HostedPBX Context: Mostly clients and their usability should be given priority( GUI ), That doesn't mean that anything else should be ignored totally or given less preference. Internal code and infrastructure should be as much easily accessible to authenticated and authorized Engineers and admins.

4- Reliable and Secure [Fail & Fool proof structure]
            Failure to any one or at max up to three nodes, services, providers, or links should not effect overall system. This reliability should be increased with introduction of more Hardware/Software code keeping point-1 and point-2 in mind. At any given time at any layer should be any single point of failure be it a DNS provider, power services provider, internet services provider, or any software application/tool.

In HostedPBX Context: Everything should've atleast one backup node, every layer should has its own security mechanism. An IVR with infinite input timeout is as dangerous to service as a less secure SIP extensions password. In any case its a loss to revenue for all the parties involved with the service. Failure to SIP Inbound SBC or REGISTRAR server should be invisible to users.

5- Customizable [Add/remove modules(features) with less pain]
           Keeping point-3 in mind the structure and the programming used should've always interaction points to be used by any other module in the structure. If Point-3 is not ignored then the customization will come easy as cake. Point-1 Provides basic rule of thumb to design the project as to facilitate the extension in code or feature set.

In HostedPBX Context: Adding new features or altering GUI menus must be able to fit easily into the structure. Collect values from anywhere from the system and use it accordingly.

Expected Tools

Keeping my own expertise in mind, what I can tell at the moment which I can do on my own is use the following tools to design the PBX

1- OpenSIPS                                   1- Kamailio
2- FreeRADIUS                               3- FreeSWITCH + SEMS + SylkServer
4- Languages: Perl, Lua, PHP         5- Redis or Cassandra
6- MySQL                                       7- Vyatta
8- DNS(BIND) Server                     9- MediaProxy + RTPproxy

Since I'm strictly not a Web devel so :( unfortunately can't tell how and when it can be developed. Since its a personal project so I dont know if this area will be constructed or not. Wish I'd done some web development courses while I was doing summer semesters in university :D

Initially Expected Features

Most of these are almost the same features I've created before,so this time its just conversion from Asteriks code to FreeSWITCH code but obviously keeping in mind the new development style.

Multi-Domain Clients provisioning             DID provisioning
ACL Manager (for Any Secret IVR Menu/App)            Click to Dial
Call Limits(Minutes/Concurrent Calls)       AutoDialer
Billing for Outbound Calls                            CDRs
Multiple IVR creation                                  Incoming Call Settings
Call Recordings                                            DISA service
Custom SIP Trunk                                        Features Permissions
IM/Chat and Presence

N x N level IVR tree creation [ Using combination of the following applications ]
Time Conditions                                                            Announcements/Play Sounds
Queues                                                                         Follow Me / Call Forwarding
Outbound Caller ID Set[Client's DID or Custom ]         Voicemails
ACL                                                                                Conferences 

Ultimate Ideal to Follow

Though there are so many Hosted/Virtual PBX out on internet, but one of my ideal is one by 2600 Hz - though too much to commit but the feature list should be some what a subset  of this feature list. Also I think this new Kazoo project by 2600 Hz is brilliant and amazing to learn from. On SIP is another beautiful and inspiring source for me.

I can't obviously compare individual myself to the experts and senior team behind the 2600 Hz project or On SIP but atleast I can follow how their wheel looks like and give mine a shape.

Thats all I had in mind for my little home project. Hope to keep up my timelines and come up with something good.

Disclaimer: The primary purpose of this post was to get ideas and suggestions as to what and how should the Hosted/Virtual PBX based on FreeSWITCH should look like. This is my personal attempt and so far no other developer or resource has been added to the pool yet ;)