Project

General

Profile

Security

Besip security is a combination of several applications and methods. First of all, we change default settings of OpenWRT built-in firewall. Because there are no need to remove UCI firewall, we used it for some security rules, so they still can be changed from LUCI interface or CLI. Configuration file for these firewall rules is located in file /etc/config/firewall.

SSH

By default, SSH listens for connections on port 22. There are two versions of SSH protocol, but for security reasons only protocol 2 is used. Instead of using login names and passwords for SSH authentication, you can use public keys for authentication. Both keys are generated using ssh-keygen command. (length can be set with b param)

ssh-keygen -t rsa -b 2048

This command create 2 keys - public and private. Public key must be uploaded to besip and added to authorized keys for ssh which are located inside file /root/.ssh/authorized_keys. For a ssh connection to besip use command:

ssh -l root - i <path_to_private_key> <IP_address>

Another ssh settings is in config file XXX, but it is not needed to edit this file.

SSI (Snort, SnortSam, Iptables)

Because Besip is considered as a simple PBX, main task is to handle VoIP calls. Securing a VoIP server against attacks is another security goal. All traffic between besip and network is checked by intrusion prevention system (IPS). This IPS is based on open-source application Snort, which servers as IDS. For reaching IPS funcionality, Snortsam application is used. Snortsam can send new rules to iptables (or to cisco ACL, juniper, ASA) based on Snort alerts. With this funclionality, besip can block malicious traffic with built-in iptables firewall. It's also possible to configure SnortSam to communicate with another agents and block traffic on different firewalls. Each blocking rule is automatically deactivated after some time, so whole system can effectively block malicious traffic and recover after attack stop (or in case of false positive alerts).

Security administrator should set an e-mail which is used for sending information about blocked attacks.

Startup script

All security starts during system boot, but only when interface eth0 has assigned an ip address. Without properly configured interface, there is no way to securing the server. When interface has assigned it's ip address (for instance through DHCP), security automatically start. You can manually stop whole security using command

/etc/init.d/besipSecurity stop

and then started using similar command with start param. This command stop/start firewall. Disabling besipSecurity from Luci interface won't affect firewall start while booting.