How to secure the vicidial recordings folder path
Securing the vicidial Recordings folder
Topic: How to secure the vicidial recordings folder path
Overview:
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite.
Vicidial records the calls using asterisk Monitor and make recordings download links visible via web portal under /RECORDINGS http path ie: https://serverip/RECORDINGS/
By default the /RECORDINGS/ path is open to access ie: without any authentication the page will be opened.
Options to Protect:
There are Four Options to protect the /RECORDINGS/ folder.
1. using ACL , that is: deny /allow restricting to particular ip or subnet
2. Authenticate the folder with linux htaccess
3. Disable the Folder listing ,ie only allow the full url with Recording filename.
example
https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3
4. Changing the Folder path of RECORDINGS to some unique name eg: ywiyteieisisiksk
example
https://192.168.12/ywiyteieisisiksk/RECORDIGNS/MP3/20210810-190911_122334455_camp_10114-all.mp3
1.ACL Method
Using ACL method you can restrict the RECORDINGS folder access to specific ip address or subnets or list of ip address.
the syntax is done with deny and allow option in apache as show below
vicibox : vi /etc/apache2/conf.d/vicirecord.confgoautodial : vi /etc/httpd/conf.d/vicidial_recordings.confScratch install: vi /etc/httpd/conf/httpd.conf
<Directory "/var/spool/asterisk/monitorDONE">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.12 10.10.10.0/24
Options Indexes FollowSymLinks
</Directory>
Alias /RECORDINGS /var/spool/asterisk/monitorDONE
Alias /recordings /var/spool/asterisk/monitorDONE
Restart the httpd services once necessary edit done.
systemctl restart httpd
2. Password Protect with .httaccess
The Next options to Secure the Recordings folder is with Password authentication ,ie authenticating the user who access the RECORDINGS web Folder path.
Follow the below steps to enable Password Protection to RECORDINGS folder
For authentication we can use the Linux .httaccess option .
Step 1: Create a New folder to store the credentials file
mkdir /usr/src/password
Step 2 : Create a credentials file
touch /urs/src/password/credentials
Step 3: using htpasswd command to generate username and password
htpasswd -B /usr/src/password/credentials admin
New password:
Re-type new password:
htpasswd -B /usr/src/password/credentials bob
vi /etc/apache/conf.d/vicirecord.conf
add the follow lines.
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "MP3 Team Leader Only"
AuthUserFile /usr/src/password/credentials
Require valid-user
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>
Step 4: Restart the httpd and enable compact mode
systemctl restart httpda2enmod mod_access_compat
3. Disabling Folder Listing
As you may notice while browsing http://vicidialip/RECORDINGS/
it will display all the folders within Recordings folder, (MP3,WAV,GSM,ORGI)
Further clicking Respective Folders, it will display all the recordings to able to download any files.
By disabling the Folder listing, only the users having the exact link with filename can access and the download file.
for eg:
https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3
Steps to disable the Folder listing.
vi /etc/asterisk/apache2/vicirecord.conf
systemctl restart httpd
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options -Indexes
AllowOverride None
Require all granted
<files *.mp3>
Forcetype application/forcedownload
</files>
php_admin_value engine Off
</Directory
4. Changing the RECORDINGS Folder Path.
https://192.168.12/dhfskskdhdhhshdshdhd/RECORDINGS/
So the hacker or user who access the default /RECORDINGS path will get object not found response.
Below are the steps to follow for renaming
Step 1: Edit the Apache conf file with New Recording path
vi /etc/apache2/conf.d/vicirecord.conf
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
Alias /dhfskskdhdhhshdshdhd/RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
Step 2: updating the Vicidial to use the New path as download link for recordigns in reports.
Goto ADMIN > SERVERS
note: enter your server ip or FQDN
After changing the above settings, you may notice the Recordings download links in report and user stats changed to new web path
Hope you have got the options to secure the RECORDINGS folder, choose the options which best suits you, Personally i recommend to use iptables or any firewall or inbuild vicibox VB-firewall to better protect the Vicidial servers.
how to protect vicidial recordings folder,
how to secure vicidial recordings folder
vicidial recordings path insecure.
vicidial recordings path password protect.