How to Secure Vicidial servers asterisk/mysql/apache

Securing or Hardening the vicidial servers

 

  VICIdial Open-Source Contact Center Suite

VICIdial is an enterprise class, open source, contact center suite in use by many large call centers around the world. VICIdial has a full featured predictive dialer.  It is capable of inbound, outbound, and blended phone call handling. 

In this Blog i will be showing you few Tips to Harden/Securing the Vicidial.

Note: though its not 100%, but i covered all security flaws i come across.

if you have found which is not listed here, kindly post in comment.

  Major Components of Vicidial Contact Center Suite

Below are the list of Major Softwares used in Vicidial Setup,

we will see hardening of each components related to vicidial , for in-depth hardening there are so many websites to refer like  tecmint.com,geekflare.com,tecadmin.net etc.

  1. Mysql/MariaDB  (DATABASE)

MySQL is an open-source relational database management system (RDBMS),

MariaDB is a fork of the MySQL database management system.

Vicidial use either mysql or mariadb as there default database software.

Below are the list of Security enhancement for the Vicidial Database.

    1.1 : Vicibox Mysql Root Password.

If you are the one who using the Vicibox Installer to install vicidial, you may notice the default Root password of Mysql/mariadb  is  No Password(empty) ie: without password you can login to mysql with root user.

Though the root remote login is disabled ,but best practice is to set password .

To set the root password follow the below steps.

run mysql_secure_installation  command ,which prompt you to set password and other usefull settings like Remove anonymous users, Disallow root login remotely etc.

mysql_secure_installation
Enter current password for root (enter for none):
Change the root password? [Y/n] Y
New password:
Re-enter new password:
Remove anonymous users? [Y/n] Y
Disallow root login remotely? [Y/n] Y
Remove test database and access to it? [Y/n] Y
Reload privilege tables now? [Y/n] Y

    1.2: Vicibox Mysql BIND-ADDRESS

If you don’t need to access your database from another machine it is suggested to bind MySQL service on localhost only, edit the configuration file my.cnf and set bind-address:

By default it is set to 0.0.0.0  ,that is  listening on all Interface attached to the server.

vi /etc/my.cnf

under [mysqld] context set bind address

bind-address = 127.0.0.1

[mysqld]
bind-address = 127.0.0.1

restart mysql 

systemctl restart mysqld

Note: this will not applicable for  Vicidial Cluster setup , in cluster use dedicated interface ip which is not connected to public or use iptables to restrict the ip's

    1.3 : Vicidial Mysql Default Users

The Default username and password used by vicidial to interact with database are

1. cron        -   password 1234

2. custom   -    password custom1234

Its Best practice to delete the default usernames/passwords and user your own usernames with complex password. 

Command to delete the default vicidial mysql users

login to your mysql using root credentials

mysql -p

mysql>DROP USER 'cron'@'localhost';
mysql>DROP USER 'custom'@'localhost';

Now lets create our own usernames with complex password, for demonstration i used, myxyz and customxyz but recommend you to use your own usernames, which is not easy guess.
Command to create new mysql user

mysql>CREATE USER 'myxyz'@'localhost' IDENTIFIED BY 'newpassword';
mysql>CREATE USER 'customxyz'@'localhost' IDENTIFIED BY 'newpassword';

Next we need to grant the permission to new users for the database asterisk, 
(note: asterisk is default database used by vicidial). 

GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO myxyz@'%' IDENTIFIED BY 'newpassword';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO customxyz@'%' IDENTIFIED BY 'newpassword';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO myxyz@localhost IDENTIFIED BY 'newpassword';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on asterisk.* TO customxyz@localhost IDENTIFIED BY 'newpassword';
GRANT RELOAD ON *.* TO myxyz@'%';
GRANT RELOAD ON *.* TO myxyz@localhost;
GRANT RELOAD ON *.* TO customxyz@'%';
GRANT RELOAD ON *.* TO customxyz@localhost;
flush privileges;

Finally update new mysql user details in vicidial conf file 

astguiclient.conf  located in /etc/

vi /etc/astguiclient.conf

update the below details

VARDB_user => myxyz
VARDB_pass  => myxyzpassword
VARDB_custom_user => customxyz
VARDB_custom_pass => customxyzpassword

    1.4 : Vicidial Mysql Default User Password

If you dont want to create new users or delete existing users as mentioned in 1.3, but just to change the default users password, follow this steps, if not skip for next section

mysql command to change the password of users cron and custom

ALTER USER 'cron'@'localhost' IDENTIFIED BY 'newpassword';
ALTER USER 'custom'@'localhost' IDENTIFIED BY 'newpassword';
flush privileges;

once Password changed update the vicidial conf file astguiclient.conf

vi /etc/astguiclient.conf

edit the blow details 

VARDB_pass  => new-cron-password
VARDB_custom_pass => new-custom-password

    1.4 : Vicidial Mysql Default Database Name - asterisk

The default Database name used in vicidial is  "asterisk".
    which is well known name and documented in vicidial manual, so its easy cake for hackers to exploit once they have access to your server and database. Its best practice not to use the default mysql database names. 
Steps to change the default database name.

I personally recommend to take backup of the current asterisk database and restore the backup to a newly created database, 

 Step1 : Backup the asterisk DB

         Run the below command

cd /usr/src/

mysqldump -p asterisk > asterisk.sql

 Step 2: Create new Database eg:abcxyzdb

mysql -p
mysql>CREATE DATABASE 'abcxyzdb' DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;

 Step 3: Grant necessary permission to mysql users to new db strikerdb

note: if you are using cron/custom user then run below commands, or replace cron/custom to the username created in mysql.

GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on abcxyzdb.* TO cron@'%' IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on abcxyzdb.* TO custom@'%' IDENTIFIED BY 'custom1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on abcxyzdb.* TO cron@localhost IDENTIFIED BY '1234';
GRANT SELECT,INSERT,UPDATE,DELETE,LOCK TABLES on abcxyzdb.* TO custom@localhost IDENTIFIED BY 'custom1234';
flush privileges;

 Step 4: Restore the asterisk db backup to new database.

cd /usr/src/
mysqldump -p todaydate < asterisk.sql

 Step 5: update the astguiclient.conf file

vi /etc/astguiclient.conf
# Datavase connection information
VARDB_database => abxyzdb

 Step 6: Delete the default database

mysql -p

DROP database asterisk

  2. Asterisk (Communication software)

Asterisk is a Open source Communication software , You can use Asterisk to build communications applications, things like business phone systems (also known as IP PBXs), call distributors, VoIP gateways and conference bridges.

Vicidial uses asterisk as communication software for sip trunking, Conference bridged module for there agent sessions ,SIP,IAX ,webrtc for end user phones, and utilizes many features of asterisk.

Lets See Few Tips to secure the Asterisk which is installed in Vicidial Setup's.

    2.1- AMI Default Users and Passwords.

Vicidial uses AMI (Asterisk Manager Interface ) to interact with asterisk for call origination, termination, update etc. with predefined username and password.

Anyone who is having these credentials can remotely originate ,terminate or send asterisk commands.

The Best Practice  recommended to change these default usernames and update the same in Vicidial ADMIN-SERVER settings.

The default AMI usernames are 

1. cron
2.updatecron
3. listencron
4. sendcron

All these users have common password of 1234.

  Steps to Change the default AMI users.

  STEP 1: rename the AMI user in the manager.conf file

vi /etc/asterisk/manager.conf 

rename the default users and passwords ,rename it to something which is not easy guess.

for demo purpose i used myxyz before all the usernames with common password of 36ay78bh88ch99.

[myxyzcron]
secret = 36ay78bh88ch99
read = system,call,log,verbose,command,agent,user,originate
write = system,call,log,verbose,command,agent,user,originate

[myxyzupdatecron]
secret = 36ay78bh88ch99
read = command,reporting
write = command,reporting

[myxyzlistencron]
secret = 36ay78bh88ch99
read = system,call,log,verbose,command,agent,user,dtmf
write = command

[myxyzsendcron]
secret = 36ay78bh88ch99
read = command
write = system,call,log,verbose,command,agent,user,originate

  STEP 2: Update the New AMI users in Vicidial Server settings.

Login to your vicidial admin portal ,
Navigate to server settings

ADMIN > SERVERS,

update the below fields with our new AMI users and press submit.

 

My updated AMI details in SERVERS.

    2.2- AMI BIND ADDRESS

 By default asterisk manager bind address in vicidial setup is set to 0.0.0.0 , which means listen to all the interface attached to the server.

If you are using single server vicidial setup, or to restrict AMI connection remotely, restrict this to the local host or the internal interface ip.

vi /etc/asterisk/manager.conf

bindaddr = 127.0.0.1

save the file and reload asterisk once

asterisk -rx "reload"

    2.3- AMI ACL Restriction.

 By default AMI users are no restricted to specific ip or subnet in vicidial.

if you have restricted the AMIN bind address to 127.0.0.1 then you can discard this options or  if you have a cluster setup you can proceed with these steps to restrict the AMI users to specific ip and subnets or multiple ip's.

For every AMI add the deny and permit options similar to below .

Restricting to local host only

[cron]
secret = 1234
read = system,call,log,verbose,command,agent,user,originate
write = system,call,log,verbose,command,agent,user,originate
deny = 0.0.0.0/0.0.0.0
permit = 127.0.0.1

Restricting to a subnet

[cron]
secret = 1234
read = system,call,log,verbose,command,agent,user,originate
write = system,call,log,verbose,command,agent,user,originate
deny = 0.0.0.0/0.0.0.0
permit = 192.168.1.0/255.255.255.0

Restricting to multiple ip's/ subnet

[cron]
secret = 1234
read = system,call,log,verbose,command,agent,user,originate
write = system,call,log,verbose,command,agent,user,originate
deny = 0.0.0.0/0.0.0.0
permit = 127.0.0.1,10.10.10.10,192.168.1.0/255.255.255.0

    2.3- Asterisk Default IAX peers.

By default vicidial will create three IAX peers , which are used by vicidial for blind transfer and monitoring purpose.

The iax peers are

1. ASTloop

2. ASTblind

3. ASTplay

Although these iax peers are protected with strong password ,which is generated in initial installation of vicidial, but still open to public for registration that is: bind to any IP.

Securing IAX Peers:

  Option 1: bind address 

If you are using single Single server sertup, and not using any iax softphones extensions then restrict the iax bind address to 127.0.0.1

vi /etc/asterisk/iax.conf

bindaddr=127.0.0.1

  Option 2:  ACL -deny/permit

If you are using cluster setup  or any iax softphone extensions, restrict the registration to particural ip or subnet or list of ip's using deny and permit option as show below

[ASTloop]
accountcode=ASTloop
secret=60JMuzlTg0bksLu
type=friend
requirecalltoken=no
context=default
auth=plaintext
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1,192.168.0.0/255.255.0.0

Note : these IAX peers are autogenerated by Vicidail scripts, any manual modification will be erased in next reboot or while running rebuild conf in server settings.

To overcome this edit the ADMIN_keepalive_ALL.pl and add below lines in respective path ,so that IAX peers are added with deny and permit ACL options

note: search for word ASTloop in vi editor and lines next to host=dynamic  as shown below

vi /usr/share/astguiclient/ADMIN_keepalive_ALL.pl

 

$Liax .= "\n";

$Liax .= "[ASTloop]\n";

$Liax .= "accountcode=ASTloop\n";

$Liax .= "secret=$self_conf_secret\n";

$Liax .= "type=friend\n";

$Liax .= "requirecalltoken=no\n";

$Liax .= "context=default\n";

$Liax .= "auth=plaintext\n";

$Liax .= "host=dynamic\n";

$Liax .= "deny=0.0.0.0/0.0.0.0\n";

$Liax .= "permit=127.0.0.1,192.168.0.0/255.255.0.0\n";

$Liax .= "disallow=all\n";

$Liax .= "allow=ulaw\n";

if ($conf_qualify =~ /Y/)

{$Liax .= "qualify=yes\n";}

 

Note :  ADD the same entries for ASTblind, and ASTplay context in same file

 

    2.4- Asterisk Default SIP Peers- gs102

By default vicdial installation will be updated with default sip peer by the name gs102.

which is marked as test admin phone.

though the latest vicidial installations initial setup force to set a strong password ,but still  its a easy guess for the available sip peer in system, its better to delete this peer.

ADMIN > PHONES > gs102 > delete this phones

    2.5 - Asterisk Securing the SIP Phones with ACL template.

By default sip phones created in vicidial will have the default sip settings,  like host = dynamic,

without any ACL restriction ,no call-limit .

Its better to create sip phones with Proper ACL and any other sip security settings like call-limit

Additional sip settings can be achieved by creating a SIP template in vicidial with below settings and attach to the phones created in vicidial

ADMIN > Templates.

type=friend
disallow=all
allow=ulaw,g729
deny=0.0.0.0/.0.0.0.0
permit=192.168.0.0/255.255.0.0,10.10.0.0/255.255.0.0
call-limit=1

Note: Always use STRONG Registration Password.

  3. APACHE (Webserver)

Apache HTTP Server is a free and open-source web server that delivers web content through the internet. It is commonly referred to as Apache and after development, it quickly became the most popular HTTP client on the web.

Vicidial uses Apache as its webserver to deliver its web content that is 
vicidial admin and agent portal.
In this blog i am going to list out few hardening related to vicidial, There are so many blogs available in internet for complete apache hardening/security Ref: link1

    3.1: Disabling the Directory listing 

By default Apache list all the content of Document root directory in the absence of index file.
As you may notice by browsing the vicidial webfolders you can see all the folders and files within the vicidial and Agc  webfolders as show below

https://vicidial_ip/vicidial/  or

https://vicidial_ip/agc/

 

 

 

 

 

 

In both the folders ,you might notice a file named "project_auth_entries.txt"
by opening this file you can see all the failed logins, with IP address of both local and public ip's.
Also the file vicidial_auth_entries.txt  under agc folder list the successful user logins .this will given the hackers the hint of usernames used in the vicidial servers, these user attempts logs should be stopped along.
Below are the steps to disable the Directory listing and Stopping the user attempts logs in files under web folders..

Steps to Disabling the Directory Listing.

We can turn off directory listing by using Options directive(-Indexes) in http configuration file .
If you are using Vicibox follow the below steps

cd /etc/apache2/conf.d/

Open these two files and search the name Options then update with below value

 

vi 1111-default-ssl.conf

and

vi 1111-default.conf

 Options -Indexes +FollowSymlinks

Note: for Scratch install in centos just edit the file httpd.conf  under /etc/httpd/conf/

save the file and restart the apache or httpd

systemctl restart apache2

Followed to that now access the webfolders vicdial and agc ,you should get permission denied as shown below

 

 

Disabling the Directory Listing for Recordings Folder of vicidial

For vicibox

cd /etc/apache2/conf.d/
vi vicirecord.conf

Replace the below line

Options  Indexes Multiview
TO
Options -Indexes +FollowSymLinks

save and restart the apache

systemctl restart apache2

or

systemctl restart httpd

    3.2 Steps to disable the logging of failed details 

       that is project_auth_entries.txt and vicidial_auth_entries.txt

Step 1: Log in to your vicidail admin portal  http://fqdn/vicidial/admin.php
Step 2: Navigate to ADMIN > SYSTEM SETTINGS
Step 3: Disable Webroot Writable  that is: set it to 0
Step 4: submit

this will disable the logging of failed and sucessful login attempts in files under web folders.

    3.3 -- Vicidial web Path  Default Names

By default the web paths for the Vicidial Admin, Agent , Recording portals are

http://FQDN/vicidial/

http://FQDN/agc/

http://FQDN/RECORDINGS/

These paths are default names and well known for hackers.
for best practice change the path either prepending a folder or change the entire name.

Example:

http://FQDN/abcxyz/vicidial/admin.php

http://FQDN/abcxyz/agc/vicidial/php

http://FQDN/abcxyz/RECORDINGS/

note abcxyz just an example, you can use a strongname (ieikdwjdjsj) and share the same to users who want to access.

STEPS:For Vicibox

cd /srv/www/htdocs/

mkdir abcxyz

mv vicidial abcxyz

mv agc abcxyz

mv chat_customer abcxyz

rm -rf index.html

note: for other scratch installation it might be /var/www/html

Now you can access your vicidial portal by browsing with the new path name

http://FQDN/abcxyz/vicidial/admin.php

http://FQDN/abcxyz/agc/vicidial.php

  3.4 :PHPMYADMIN

If you have installed Vicibox with the PHPMYADMIN then you are in risk , as by default Phpmyadmin portal is open to public and authenticated with the default mysql credentials.

For Best practice uninstall the phpmyadmin or use ACL to restrict to specific IP address

STEPS to ACL

cd /etc/apache2/conf.d/

cp   phpMyAdmin.conf.rpmsave   phpMyAdmin.conf 

vi phpMyAdmin.conf

add 

Require ipaddress   (ie Require 11.12.13.14)

save the file 
restart apache
Note: by default 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 subnet is added in allow list

  4. Vicidial - Astguiclient

VICIdial is an enterprise class, open source, contact center suite in use by many large call centers around the world.
With Respect to vicidial below are the list of Security concern to be addressed.

    4.1 Default Admin User 6666

    By default the vicidial comes with admin username as 6666, which is well know username.
For best Practice create a new admin user with Strong Password and delete the 6666 user.

    4.2:Default Users 

By default in Vicidial below user are created.

   VDCL 
    VDAD

Though these users are in inactive mode, but these users use the password as donotedit. 
for best practice change this password to a strong password.

  4.3:Enable Two Factor authentication for admin

Vicidial have included the Two factor authentication for admin portal access.
soon i will post the step by step guide here.

   4.4:Auto Deactivate the inactive users.

Vicidail have inbuilt Container settings to De-active the users who are inactive for N number of days.

    4.6:Password Stuff.

Enable the below settings and set a strong password

ADMIN > SYSTEM SETTINGS
User Password Minimum Length
Default Phone Registration password
Default Phone Login Password
Default Server Password

    4.7:Vicidial user level

Make use of user levels in vicidial, assign the levels according to there Role in accessing the vicidial

Level 1-6  - Agents/Closer/Remote Agents
Level 7     - Reports View Only User
Level 8     - ADMIN – Can’t edit Level 9 Users
Level 9     - Super ADMIN  

also Use the option 

Modify Same user Level

Alter Admin Interface Options 

    4.8:Agent Screen Logout Link Credentials

By default in Vicidial , the Agent credentials are linked to URL and saved in Browser history once they press logout as show below.

https://192.168.29.99/agc/vicidial.php?relogin=YES&session_epoch=1642271230&session_id=8600051&session_name=1642271228_100117849463&VD_login=1001&VD_campaign=TEST&phone_login=1001&phone_pass=1001&VD_pass=1001&LOGINvarONE=&LOGINvarTWO=&LOGINvarTHREE=&LOGINvarFOUR=&LOGINvarFIVE=&hide_relogin_fields=

To Avoid this Set 0 for agent screen lgout LInk Credentials option

 

Goto 
ADMIN > SYSTEM SETTINGS

search for

Agent Screen Logout Link Credentials  - set this to 0

  5.Linux - OS

Vicidial will support most the linux distributions like centos, ubuntu, rocky, opensuse.

with respect to vicidial operation, the major security concern related to OS level is the SSH access, which are open to public and needed to access the dialer for daily operation.

SSH : Below few security tips to secure SSH access.

1. Change the Default port 22 to something 2222, 23232 etc.

Though changing  the port will not stop the attack but it will reduce the attack.

2. Apart from Root user ,create additional users with strong password, and disable the root login via SSH and use sudo or su options to access dialer with root permission.

to disable the root login via ssh edit

sshd_config  file, and set the below line

PermitRootLogin no

3. Use Firewall, IPtables, vicibox Dynamic Portal.

Use IPtables to allow and deny the IP's or Ports which are needed to access the server.

Major Ports used in vicidial

5060(UDP)     -   SIP Protocol

4569(UDP)  -   IAX Protocol

5038(TCP)     -   AMI

1000-20000(UDP) -   RTP Ports

8089(TCP)      -  webphone

80/443(TCP)  -  HTTP

5060(TCP)      -  mysql/mariadb

 22(TCP)  -  SSH

Sample Iptables

iptables -A INPUT -s 127.0.0.1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -s 11.11.11.11 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p all -j DROP