10. Security and Maintenance

Once the sip:provider CE is in production, security and maintenance becomes really important. In this chapter, we’ll go through a set of best practices for any production system.

10.1. Firewalling

The sip:provider CE runs a wide range of services. Some of them need to interact with the user, while some others need to interact with the administrator or with nobody at all. Assuming that we trust the sip:provider CE server for outgoing connections, we’ll focus only on incoming traffic to define the services that need to be open for interaction.

Table 4. Subscribers

ServiceDefault portConfig option

Customer self care interface

443 TCP

www_csc→apache→port

SIP

5060 UDP, TCP

kamailio→lb→port

SIP over TLS

5061 TCP

kamailio→lb→tls→port + kamailio→lb→tls→enable (Disabled by default)

RTP

30000-40000 UDP

rtpproxy→minport + rtpproxy→maxport


Table 5. Administrators

ServiceDefault portConfig option

SSH/SFTP

22 TCP

NA

Administrator interface

1443 TCP

www_admin→apache→port

Provisioning interfaces

2443 TCP

ossbss→apache→port


[Caution]

To function correctly, the mediaproxy requires an additional iptables rule installed. This rule (with a target of MEDIAPROXY) is automatically installed and removed when the mediaproxy starts and stops, so normally you don’t need to worry about it. However, any 3rd party firewall solution can potentially flush out all existing iptables rules before installing its own, which would leave the system without the required MEDIAPROXY rule and this would lead to decreased performance. It is imperative that any 3rd party firewall solution either leaves this rule untouched, or installs it back into place after flushing all rules out. The complete parameters to install this rule (which needs to go into the INPUT chain of the filter table) are: -p udp -j MEDIAPROXY --id 0

10.2. Password management

The sip:provider CE comes with some default passwords the user should change during the deployment of the system. They have been explained in the previous chapters of this document.

  • The default password of the system account cdrexport is cdrexport. Although this is a jailed account, it has access to sensitive information, namely the Call Detail Records of all calls. SSH keys should be used to login this user, or alternatively a really strong password should be generated.
  • The root user in MySQL has no default password. A password should be set using the mysqladmin password command.
  • The administrative web interface has a default user administrator with password administrator. It should be changed within this interface.
[Important]

Many NGCP services use MySQL backend. Users and passwords for these services are created during the installation. These passwords are unique for each installation, and the connections are restricted to localhost. You should not change these users and passwords.

10.3. SSL certificates.

The sip:provider CE provides default, self-signed SSL certificates for SSL connections. These certificates are common for every installation. Before going to production state, the system administrator should provide SSL certificates for the web services. These certificates can either be shared by all web interfaces (provisioning, administrator interface and customer self care interface), or separate ones for each them can be used.

  • Generate the certificates. The customer self care interface certificate should be signed by a certification authority to avoid browser warnings.
  • Upload the certificates to the system
  • Set the path to the new certificates in /etc/ngcp-config/config.yml:

    • ossbssapachesslcertfile and ossbssapachesslcertkeyfile for the provisioning interface.
    • www_adminapachesslcertfile and www_adminapachesslcertkeyfile for the admin interface.
    • www_cscapachesslcertfile and www_cscapachesslcertkeyfile for the customer self care interface.
  • Apply the configuration changes with ngcpcfg apply.

The sip:provider CE also provides the self-signed SSL certificates for SIP over TLS services. The system administrator should replace them with certificates signed by a trusted certificate authority if he is going to enable it for the production usage (kamailiolbtlsenable (disabled by default)).

  • Generate the certificates.
  • Upload the certificates to the system
  • Set the path to the new certificates in /etc/ngcp-config/config.yml:

    • kamailiolbtlssslcertfile and kamailiolbtlssslcertkeyfile .
  • Apply the configuration changes with ngcpcfg apply.

10.4. Backup and recovery

10.4.1. Backup

The sip:provider CE can be integrated with most of the existing backup solutions. While it does not provide any backup system by default, any Debian compatible system can be installed. It’s not the scope of this chapter to go through backup system configuration. We’ll focus on which information needs to be saved.

The minimum set of information to be backed up is:

  • The database information.

This is the most important data in the system. All subscriber information, billing, CDRs, user preferences etc. are stored in the MySQL server. A periodical dump of all the databases should be performed.

  • System configuration options

/etc/ngcp-config/config.yml, /etc/ngcp-config/constants.yml, /etc/mysql/debian.cnf and /etc/mysql/sipwise.cnf files, where your specific system configurations are stored, should be included in the backup as well.

  • Optional: Exported CDRs

The directory /home/jail/home/cdrexport contains the exported CDRs the system has generated so far. It depends on your local call data retention policy whether or not to remove these files after exporting them to an external system.

  • Optional: Custom files

Any custom configurations, like modified templates or additionally implemented services which are not provided by the sip:provider CE

10.4.2. Recovery

In the worst case scenario, when the system needs to be recovered from a total loss, you only need 4 steps to get back online:

  • Install the sip:provider CE as explained in chapter 2.
  • Restore config.yml, constants.yml, debian.cnf and sipwise.cnf from the backup, overwriting your local files.
  • Restore the database dump.
  • Execute ngcpcfg apply.

10.5. Reset database

To reset database to its original state you can use the script provided by CE: * Execute ngcp-reset-db. It will assign new unique password for the NGCP services and restart all services. IMPORTANT: All existing data will be wiped out without possibility of restoring.