Securing Supermon
Securing your node when using the manager remotely
This document was originally written by Tony Morris at GMRSLive.com and posted on the GMRSLive Facebook group. We give thanks to Tony for his hard work.
The Asterisk manage used by Supermon is notoriously insecure when allowed to be accessed directly on the Internet from outside of your LAN. In most applications of Supermon this is not an issue. In the manager.conf the bind address is usually set to bindaddr = 127.0.0.1 meaning only allow access on this computer or server. But often a user wants to view and control multiple servers within their LAN. In this case you set the bindaddr=0.0.0.0 meaning access is allowed outside of the server. Then rather than have multiple Supermon browser sessions running you can integrate all of your servers on one Supermon browser window. To do this you would reference the node, Local_IP_address:5038, user, and password for each server in the allmon.ini file. This would not be considered insecure if you were nat’ed through a router and did not have port 5038 forwarded to anywhere on your LAN.
But what happens when you want to manage a server not on your LAN and somewhere out on the Internet. Now you would have to port forward the manager port 5038 so you could access it at that remote computer. Some would say just change the port but doing that (obscurity) is very poor security protection. A port is still there open to the world and available to hackers. A better way is to use iptables to firewall the port to a specific IP address. That is only your IP address would be allowed in at the remote end. Here is a sample script that would accomplish this on a GMRSLive system –
#!/bin/bash
# Script to block a port based on IP address
# This script should be run by cron. It detects changes in the remote IP address
# and updates IP tables. Run at least once a day or as often as once every 10 minutes.
# This depends on how often your IP address is likely to change. Depending on
# your situation BOTH the end you are controlling and your end need to do this and
# you also need to change manager.conf to the 0.0.0.0 address.
IPT=/sbin/iptables
PORT=5038 # if you use a different port change this
### Flush any existing rules, preparing to reload...
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F # ignore error here if mangle module isn't loaded
$IPT -X # deletes every non-built-in chain in the table
# Must have localhost:
$IPT -A INPUT -p tcp -s 127.0.0.1 --dport $PORT -j ACCEPT
# Following examples should be uncommented and configured for your application as needed.
# Local LAN - covers all on designated LAN
#$IPT -A INPUT -p tcp -s 192.168.1.0/16 --dport $PORT -j ACCEPT
# Example A specific machine on your LAN:
# If you were using the all LAN example you would not need this.
#$IPT -A INPUT -p tcp -s 192.168.0.6 --dport $PORT -j ACCEPT
# Example a distant node out on the Internet:
# The distant node would also need port forwarding and filtering
#IP=$(getent hosts somedomain.com |awk '{ print $1 }')
#if [ "$IP" != "" ]; then
# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
#fi
# Another out on the Internet example using the hamvoip dns-query
#IP=`dns-query 417600 | awk -F',' '{print $2}'`
#if [ "$IP" != "" ]; then
# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
#fi
# Another Example Using IRLP node lookup from the Internet:
#IP=$(getent hosts stn3787.ip.irlp.net |awk '{ print $1 }')
#if [ "$IP" != "" ]; then
# $IPT -A INPUT -p tcp -s "$IP" --dport $PORT -j ACCEPT
#fi
$IPT -A INPUT -p tcp --dport $PORT -j DROP
# Use this statement at the Linux prompt to view results
# iptables -L
# END SCRIPT
I suggest you cut and paste this script to a file and edit as desired. The filename could be anything you want but something like block_5038.sh would be descriptive. Then create a cron entry to call it. Here is an
example:
*/30 * * * * /etc/asterisk/local/block_5038.sh
This would run the script /etc/asterisk/local/block_5038.sh every 30 minutes. Make sure the script is
executable:
chmod 750 block_5038.sh
You can check the journal to see if it runs properly every half hour – journalctl -f
and – iptables -L to view the current settings.