Hi Guys,
We all know that A2Billing is a great voip billing system for calling cards and sip calling, but many of us face security issues with asterisk and a2billing every now and then the server gets compromised and we loose our hard earned money just like that .. bad haa? No worries here are some suggestions using which you can secure your server and prevent the bad guys to take away your money.
Change default a2billing passwords like admin password ,mysql password,manager password.
After installing a2billing your first step should be changing all default passwords.
1. A2Billing admin password (default password is chnagepassword)
2. Use a secure database password
3. Change default asterisk manager username and password to a secure one. (default username : myasterisk pass: mycode)
Use ssl, redirect all the traffic from http urls to https.
Make sure that the mysql service is not available from out side
Use different ssh port other than port 22
Change the default admin folder name from /a2billing/admin to other secured name
Hackers usually hit and try the default folders on your ip/URL so its always good to change the folder name to some secure name instead of admin like my_s3cureadm3n.
Use ssl, redirect all the traffic from http urls to https.
Its always good to use ssl to secure connection.
Make sure that the mysql service is not available from out side
Make sure that mysql server is only accessible from localhost and is not accessible from any outside ip/domain, otherwise hacker may get into database and steel your important information like card numbers etc.
Use different ssh port other than port 22
Use other than 22 port for ssh as hackers try to brute force on port 22 to get into the server.
Secure your asterisk from brut force using fail2ban
User fail to ban to block ip if someone enters wrong password for more than 3 times.
Secure your web acess and web2call pages using fail2ban.
Allow only selected ips to access the web interfaces. Block Ips if they enter wrong username,password repeatedly.
Add only rates that you got from your termination provider,do not allow calls to expensive area codes.
Its highly recommendable to keep only the destinations which are provided by your termination provided.
The hacker use the stolen account to call on premium number which can cause you huge loss.
Verify customers phone number on signup to prevent fraud.
Verify users phone number on signup so that you have some real information about the users this is very useful in preventing the fraud.
Change the sip port to any port other than 5060
Use sip port other than 5060 to prevent unauthorized entry ,brute force.
Block the asterisk manager port from outside and change the default password
Do not allow anyone to connect form outside of the machine to asterisk server.
Verify paypal payments with the user's paypal email.
I hope the steps above can help you securing your a2billing server and prevent any fraud and losses.If you want I can do the above for you for 500 USD. You can get back to me on vids.cs@gmail.com