[App_rpt-users] Server Security

[Bryan Fields]

On 9/4/18 12:38 PM, Bryan St Clair wrote:
> For most who don't accept incoming connections on their home network,
> (meaning no opened ports on the router -- Using NAT) you are very secure.

NAT is not security.

Security is not solved by firewalls, or any one thing.  Security is a mindset
and an approach to looking at systems and protecting them from nefarious
operators.

AllStar on the default IAX port appears to be an open PBX, and would be quite
useful for terminating VoIP calls, which can make attackers much money.  By in
large AllStar systems are not interconnected with outbound SIP trunks, and
thus are a poor attack vector for this.

fail2ban can be used not only for ssh, but IAX and SIP too.
> https://lelutin.ca/posts/Blocking_bruteforce_attempts_on_Asterisk_with_fail2ban/

I find blackhole routing works best for these, and I'll set it to 3600 seconds.

There is something to be said for using non-standard ports as this will cut
down on the non-standard scanners.  This only obscures the issue, it's not
true security in and of it self.   Add fail2ban with it and it will block much
of it.

If you're running a bunch of nodes on a single connection, setup a proxy, this
will isolate them onto one device.

A firewall helps you keep only what you want exposed.  It's amazing how fast
stuff can be exploited without a firewall on today's internet.  I personally
had a server I setup and got lazy as it was late at night, "I'll setup the
firewall tomorrow".  Tomorrow turned into 3 days and the server had memcached
on it being used a packet generator.  Turned my 10 mbit/s 95th usage into 998
mbit/s 95th percentile.

Lesson learned, security is a mindset and starts day one.

Perhaps the best thing you can do is not allow root access and use a good
password.  Using your callsign is not good, using A115tar isn't secure either.
 Each user should have their own password, and be enabled to use sudo too.

73's
-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net