Securing external access to my PBX (Apache)

** IMPORTANT:  The server must first be secured with an SSL certificate to encrypt any usernames and passwords across the wire.

Now with SSL inplace you can use Apache’s basic authentication to protect the entire site.

This is all taken from the Apache online documentation:

Caution: Encourage your users to use a different password for your web site than for other more essential things. For example, many people tend to use two passwords – one for all of their extremely important things, such as the login to their desktop computer, and for their bank account, and another for less sensitive things, the compromise of which would be less serious.

To create the password file, use the htpasswd utility that came with Apache. This will be located in the bin directory of wherever you installed Apache. For example, it will probably be located at /usr/local/apache/bin/htpasswd if you installed Apache from source.

To create the file, type:

htpasswd -c /usr/local/apache/passwd/passwords username

htpasswd will ask you for the password, and then ask you to type it again to confirm it:

# htpasswd -c /usr/local/apache/passwd/passwords rbowen
New password: mypassword
Re-type new password: mypassword
Adding password for user rbowen

Note that in the example shown, a password file is being created containing a user called rbowen, and this password file is being placed in the location /usr/local/apache/passwd/passwords. You will substitute the location, and the username, which you want to use to start your password file.

If htpasswd is not in your path, you will have to type the full path to the file to get it to run. That is, in the example above, you would replace htpasswd with /usr/local/apache/bin/htpasswd

The -c flag is used only when you are creating a new file. After the first time, you will omit the -c flag, when you are adding new users to an already-existing password file.

htpasswd /usr/local/apache/passwd/passwords sungo

The example just shown will add a user named sungo to a password file which has already been created earlier. As before, you will be asked for the password at the command line, and then will be asked to confirm the password by typing it again.

Caution: Be very careful when you add new users to an existing password file that you don’t use the -c flag by mistake. Using the -c flag will create a new password file, even if you already have an existing file of that name. That is, it will remove the contents of the file that is there, and replace it with a new file containing only the one username which you were adding.

The password is stored in the password file in encrypted form, so that users on the system will not be able to read the file and immediately determine the passwords of all the users. Nevertheless, you should store the file in as secure a location as possible, with whatever minimum permissions on the file so that the web server itself can read the file. For example, if your server is configured to run as user nobody and group nogroup, then you should set permissions on the file so that only the webserver can read the file and only root can write to it:

chown root.nogroup /usr/local/apache/passwd/passwords
chmod 640 /usr/local/apache/passwd/passwords

On Windows, a similar precaution should be taken, changing the ownership of the password file to the web server user, so that other users cannot read the file.


Set the configuration to use this password file

Once you have created the password file, you need to tell Apache about it, and tell Apache to use this file in order to require user credentials for admission. This configuration is done with the following directives:

AuthType Authentication type being used. In this case, it will be set to Basic
AuthName The authentication realm or name
AuthUserFile The location of the password file
AuthGroupFile The location of the group file, if any
Require The requirement(s) which must be satisfied in order to grant admission

These directives may be placed in a .htaccess file in the particular directory being protected, or may go in the main server configuration file, in a <Directory> section, or other scope container.

The example shown below defines an authentication realm called “By Invitation Only”. The password file located at /usr/local/apache/passwd/passwords will be used to verify the user’s identity. Only users named rbowen or sungo will be granted access, and even then only if they provide a password which matches the password stored in the password file.

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require user rbowen sungo

The phrase “By Invitation Only” will be displayed in the password pop-up box, where the user will have to type their credentials.

You will need to restart your Apache server in order for the new configuration to take effect, if these directives were put in the main server configuration file. Directives placed in .htaccess files take effect immediately, since .htaccess files are parsed each time files are served.

The next time that you load a file from that directory, you will see the familiar username/password dialog box pop up, requiring that you type the username and password before you are permitted to proceed.

Asterisk and IAX2 “Registration Rejection”

This post describe a problem encountered after setting up a Linux CentOS box along with Asterisk 1.6 and FreePBX 2.6.

After creating an IAX2 extension to connect remote users to I found I would get the message “Registration Rejected”. Suspecting this wasn’t a build problem and definately not a firewall issue since a response had been returned, I eventually found the answer after some searching:

http://blog.loudhush.ro/2010/01/loudhush-compatibility-with-asterisk.html

For details on IAX2 security in newer versions of Asterisk see:
http://svn.digium.com/svn/asterisk/branches/1.4/doc/IAX2-security.pdf

The problem can be fixed by adding an extra configuration settings:

calltokenoptional = 0.0.0.0/0.0.0.0

Reload iax and problem solved.