Security¶
This page gives an overview of security best practices that should be applied to a Wazo installation. This is not an exhaustive documentation but a starting point that should be read to avoid common security issues.
Most of this page is aimed at servers that are accessible from the Internet.
fail2ban¶
Wazo comes with a pre-configured fail2ban. Fail2ban will block IP addresses that tried and failed to gain access to the server. There are 3 jails that a configured.
asterisk-wazo¶
The asterisk-wazo
jail watches the Asterisk log file for failed registration attempts.
This jail protects against brute force attacks attempting to guess SIP accounts usernames and password.
wazo-provd¶
The wazo-provd
jail will block attempts to create new devices and request for configuration
files.
This jail has two goals:
- limiting DOS attacks by creating new devices repeatedly
- protecting against brute force attacks attempting to guess configuration file names.
See Security for more details.
sshd¶
The sshd
jail protects against SSH brute force attacks.
Firewall¶
Wazo comes with iptables installed but does not configure any security rules. The only interaction Wazo has with iptables are:
- fail2ban
- wazo-upgrade blocks SIP trafic during an upgrade, to avoid SIP phones to become temporarily unusable after the upgrade.
It is highly recommended that you configure firewall rules on your Wazo.
Devices¶
Your devices, phones and VoIP gateways, should not be accessible from the Internet. If you have no choice, then the passwords should be changed. Most phones have two different passwords: admin and user passwords.
Some devices allow Wazo to change the password from the auto provisioning system. To change the
default values, use wazo-provd
endpoint /provd/cfg_mgr/configs
.
For other devices, you need to change the passwords manually.
Open ports¶
See the list of network ports that are listening to 0.0.0.0 in the Network page. Change the service configurations for services that do not need to be accessible.