Difference between revisions of "How to be secure using MOR"
Line 21: | Line 21: | ||
== Devices == | == Devices == | ||
# Make sure you carefully understand what [[Device settings]] means. Do not enabled Insecure port + Invite, unless you understand | # Make sure you carefully understand what each [[Device settings | device setting]] means. Do not enabled Insecure port + Invite, unless you understand | ||
what these settings mean! | what these settings mean! | ||
Revision as of 13:02, 15 June 2012
How to be secure using MOR
This guide will give you some hints where you could improve your MOR system security
Passwords
- Never give passwords to people you do not trust
- Use only secure passwords:
- Your passwords must be at least 12 symbols length
- Your passwords must contain letters (a-z)
- Your passwords must contain numbers (0-9)
- Your passwords must contain special characters (!@#$%^&*() and so on..)
- You must use different passwords for all types of services, for example MOR GUI, ROOT, phpmyadmin and stats passwords must be different
- When using SSH - please consider using SSH keys instead of passwords. More information about SSH can be found here.
- Change passwords regularly. Some guides how to do it:
- Change root password
- Change stats password
- MOR GUI password - change it from user details
- Change all default MOR passwords after installation.
Devices
- Make sure you carefully understand what each device setting means. Do not enabled Insecure port + Invite, unless you understand
what these settings mean!
Device passwords
- Always create secure (as stated above) passwords for devices if you want to avoid loss.
Multiple accounts registration
In order to prevent multiple accounts registration from the same user - you can implement an SMS based user verification using MOR API and a technique described here.
MOR good practices
- It is recommended to disable public new user registrations or to be careful with:
- Default user settings - it is common for new users to do these mistakes:
- DO NOT put any initial balance - if you do so you will give money for calling for your new customers for free - such service is often abused and one or more users make a lot of of free account registrations to call for free.
- DO NOT MAKE USER POSTPAID - if you do so with public registrations enabled and you set any credit for that user (it can also be automatically applied from default user settings) - that user will be allowed to call for free and you risk that the unknown customer will not pay you.
- DO NOT GIVE ANY CREDIT in default user settings - if a credit is given and the user is postpaid - he is allowed to call till he reaches this limit. Very dangerous when being used with public user registrations.
- Default user settings - it is common for new users to do these mistakes:
- Do not connect external PBX systems or at least ensure that they ARE SECURE. Please read more about this here, here and here.
- Use Action log feature in MOR to monitor suspicious users actions in MOR system. Keep an eye on Hacking attempt messages here - they indicate that the user is trying to access MOR GUI places/features which are not allowed for him to use. More information about Action log can be found here.
Additional software to increase MOR system security
MOR Monitorings Addon
Monitorings Addon addon will protect your from high money losses. More information about this addon can be found here.
Fail2Ban
Fail2Ban is installed by default in MOR systems and protects these services against brute force attacks:
- SSH
- Asterisk - from registration attacks
- Apache - from scanning bot attacks
More information about Fail2Ban can be found here and here.
Iptables
It is a default Linux firewall and is installed by default in all MOR systems. Although additional configuration is needed in order it would protect you:
- Configure iptables that it would accept connections only to ports required for MOR system to work. More information about these ports can be found here.
- Allow connections to SSH (default TCP Port: 22) only from support.kolmisoft.com and systems you trust.
- If MOR GUI is not required for your business model - you can block access to it too (Default TCP ports: 80/443). Only remember to allow access to it from support.kolmisoft.com and the systems you trust.
Services
- Apache (httpd) - you must use SSL in order you and your users could surf MOR GUI safely. More information about installing SSL can be found here.
- Asterisk - do not connect external PBX systems or at least ensure that they ARE SECURE. Please read more about known insecure PBX systems here, here and here.
- SSH - you can go even further securing the SSH - you can limit the number of allowed SSH connections per minute. For more information please check this guide.
Very advanced techniques for highly technically skilled people
For these techniques Kolmisoft does not provide any support.
- Port knocking (can be used for SSH or GUI access if it is not used publicly). More information about this technique can be found here.
- Intrusion prevention systems: Cisco Suricata
Other information regarding increasing MOR security