How to secure the vicidial recordings folder path

Securing the vicidial Recordings folder 

Topic: How to secure the vicidial recordings folder path


vicidial recordings


  Overview:

VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite.
Vicidial records the calls using asterisk Monitor and make recordings download links visible via web portal under /RECORDINGS http path ie: https://serverip/RECORDINGS/
By default the /RECORDINGS/ path is open to access ie: without any authentication the page will be opened.

Youtube Video Link

  Options to Protect:

There are Four Options to protect the /RECORDINGS/ folder.

1. using ACL , that is: deny /allow restricting to particular ip or subnet

2. Authenticate the folder with linux htaccess 

3. Disable the Folder listing ,ie only allow the full url with Recording filename.

example

https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3

4. Changing the Folder path of  RECORDINGS to some unique name eg: ywiyteieisisiksk

example

https://192.168.12/ywiyteieisisiksk/RECORDIGNS/MP3/20210810-190911_122334455_camp_10114-all.mp3

  1.ACL Method

Using ACL method you can restrict the RECORDINGS folder access to specific ip address or subnets or list of ip address.

the syntax is done with deny and allow option in apache as show below


note: file locations
vicibox      :  vi /etc/apache2/conf.d/vicirecord.conf
goautodial  : vi /etc/httpd/conf.d/vicidial_recordings.conf
Scratch install: vi /etc/httpd/conf/httpd.conf
 <Directory "/var/spool/asterisk/monitorDONE">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.12 10.10.10.0/24
Options Indexes FollowSymLinks
</Directory>
Alias /RECORDINGS /var/spool/asterisk/monitorDONE
Alias /recordings /var/spool/asterisk/monitorDONE

Restart the httpd services once necessary edit done.

systemctl restart httpd

  2. Password Protect with .httaccess

The Next options to Secure the Recordings folder is with Password authentication ,ie authenticating the user who access the RECORDINGS web Folder path.
Follow the below steps to enable Password Protection to RECORDINGS folder

For authentication we can use the Linux .httaccess option .

Step 1: Create a New folder to store the credentials file

mkdir /usr/src/password

Step 2 : Create a credentials file

touch /urs/src/password/credentials

Step 3: using htpasswd command to generate username and password

htpasswd -B /usr/src/password/credentials admin

New password:

enter your passwords.
Re-type new password:

run again httpasswd for other users eg bob
htpasswd -B /usr/src/password/credentials bob

New password:
Re-type new password:

Step 4 :  update the vicidial apache config to use the above credentials.

vi /etc/apache/conf.d/vicirecord.conf

add the follow lines.

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "MP3 Team Leader Only"
AuthUserFile /usr/src/password/credentials
Require valid-user
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>

Step 4: Restart the httpd and enable compact mode

systemctl restart httpd     
a2enmod mod_access_compat

  3. Disabling Folder Listing

As you may notice while browsing http://vicidialip/RECORDINGS/
it will display all the folders within Recordings folder, (MP3,WAV,GSM,ORGI)


Vicidial Recordings Folders


Further clicking Respective Folders, it will display all the recordings to able to download any files.
By disabling the Folder listing, only the users having the exact link with filename can access and the download file.
for eg:

https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3

Steps to disable the Folder listing.

vi /etc/asterisk/apache2/vicirecord.conf
add the line Options -Indexes  as show below in Bold with underlined.
Followed to the restart the apache
systemctl restart httpd
 Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
        Options -Indexes
        AllowOverride None
        Require all granted
        <files *.mp3>
        Forcetype application/forcedownload
        </files>
        php_admin_value engine Off
</Directory

  4. Changing the RECORDINGS Folder Path.

This is the Yet another method of securing the RECORDIGNS folder , by changing the default name RECORDINGS path to some unique name which only known to admin, eg:dhfskskdhdhhshdshdhd.
So the admin or trusted user will access the Recordings by typing the below url
https://192.168.12/dhfskskdhdhhshdshdhd/RECORDINGS/

So the hacker or user who access the default /RECORDINGS path will get object not found response.
Below are the steps to follow for renaming 

Step 1: Edit the Apache conf file with New Recording path

vi /etc/apache2/conf.d/vicirecord.conf
edit the first line as show below

FROM:
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
TO:
Alias /dhfskskdhdhhshdshdhd/RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

Step 2:  updating the Vicidial to use the New path as download link for recordigns in reports.

Goto ADMIN >  SERVERS
Edit the Below settings

Recording Web Link: ALT_IP

Alternate Recording Server IP: Serverip/dhfskskdhdhhshdshdhd

vicidial-alt-ip


note: enter your server ip or FQDN
After changing the above settings, you may notice the Recordings download links in report and user stats changed to new web path 


vicidal recordings

  Summary:

Hope you have got the options to secure the RECORDINGS folder, choose the options which best suits you, Personally i recommend to use iptables or any  firewall or inbuild vicibox VB-firewall  to better protect the Vicidial servers.


Also Check Below topics
Next Post Previous Post
1 Comments
  • gopi baskar
    gopi baskar April 4, 2022 at 9:22 AM

    how to protect vicidial recordings folder,
    how to secure vicidial recordings folder
    vicidial recordings path insecure.
    vicidial recordings path password protect.

Add Comment
comment url