MyPBX Security Configuration Guide(Part 3)--Service Security

1. Disable Guest Call
Path: PBX--Advanced Settings--SIP Settings--Advanced Settings--Allow Guest

Note: Allow Guest is disabled by default; please keep it to ‍“No” for general use.

2. SSH Access Enhancement

2.1 Disable SSH
Path: System--Network Settings--LAN Settings--Enable SSH
If external debugging isn’t required, please select “No”.

Note: SSH access is disabled by default; please keep it to ‍“No” if not needed.

2.2 Change the Default Password for SSH
We can use the Linux command passwd to change the root password of MyPBX.
Step1. Log in via putty.exe.


Step2. The default username is root and the default password is ys123456.


Step3. Use command passwd to change the root’s password

You need to input the new password twice to take effect.

3. FTP Access Enhancement*
Path: System--Network Preferences--LAN Settings--FTP
If you won't log in MyPBX via FTP, please select “No” to disable it.

Note: FTP access is disabled by default; please keep it to ‍“No” if not needed.

4. AMI settings
The Asterisk Manager Interface (AMI) allows a client program to connect to an Asterisk instance and issue commands or read events over a TCP/IP stream. Integrators will find this particularly useful when trying to track the state of a telephony client inside Asterisk, and directing that client based on custom (and possibly dynamic) rules.
For more information, you can refer to this page:
http://www.voip-info.org/wiki/view/Asterisk+manager+API

Note: this feature is disabled by default; there is no need to enable generally. If it’s enabled, please change the account and configure IP restriction.


To manage the accounts to access AMI, we can configure it in AMI page directly.
Path: System--Security Settings--AMI Settings.

For example, the AMI account can be:
User name: Developer
Password: Developer
The only IP address that’s allowed to log in is 192.168.1.71.

We can configure it like this:

Save it and apply the changes.
To confirm more details, please try command ‍“cat /etc/asterisk/manager.conf

5. TFTP
MyPBX can work as a TFTP server when using ‍“phone provisioning”, and this feature is enabled by default. If all the phones are well provisioned, you can disable this access to protect the configuration files of MyPBX.
Click ‍“System--Security Center--Service” to disable it directly.


6. Database Grant
MyPBX has integrated MySQL since x.18.0.xx, which provides convenience for users to manage the CDR and the Recording log. To protect the database access, we need to set up user name and password separately before login.
There is no account configured by default, if you need to connect the database using third party software, you need to set up this first.
For example, username: Harry, password: Harry123

Save it and apply the changes.


When logging in using other software, we can check the CDR.

7. Alert settings
After enabling alert settings, if the device is attacked, the system will notify users the alert via call or e-mail. The attack modes include IP attack and Web Login.

7.1 IPATTACK
When the system is attacked by some IP addresses, the firewall will add the IP to auto IP Blacklist and notify the user if it matches the protection rule.
Example: configure to notify extension 500, outbound number 5503301 and E-mail alert@yeastar.com.

Note: If there’s an outbound number to notify, the number should fit the dial pattern of the outbound route.


7.2 WEBLOGIN
Entering the password incorrectly five times when logging in MyPBX Web interface will be deemed as an attack, the system will limit the IP login within 10 minutes and notify the user.
Example: configure to notify extension 500, outbound number 5503301 and E-mail alert@yeastar.com.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.