How to Secure the vicidial RECORDINGS folder
Overview:
VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite.
Vicidial records the calls using asterisk Monitor and make recordings download links visible via web portal under /RECORDINGS http path ie: https://serverip/RECORDINGS/
By default the /RECORDINGS/ path is open to access ie: without any authentication the page will be opened.
Options to Protect:
There Four Options to protect the /RECORDINGS/ folder.
1. using ACL , that is: deny /allow restricting to particular ip or subnet
2. Authenticate the folder with linux htaccess
3. Disable the Folder listing ,ie only allow the full url with Recording filename.
eg:https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3
4. Changing the Folder path of RECORDINGS to some unique name eg: ywiyteieisisiksk
eg:https://192.168.12/ywiyteieisisiksk/RECCORDIGNS/MP3/20210810-190911_122334455_camp_10114-all.mp3
|||1.ACL Method
Using ACL method you can restrict the RECORDINGS folder access to specific ip address or subnets or list of ip address.
the syntax is done with deny and allow option in apache as show below
note: file locations
vicibox : vi /etc/apache2/conf.d/vicirecord.conf
goautodial : vi /etc/httpd/conf.d/vicidial_recordings.conf
Scratch install: vi /etc/httpd/conf/httpd.conf
<Directory "/var/spool/asterisk/monitorDONE">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1 192.168.1.12 10.10.10.0/24
Options Indexes FollowSymLinks
</Directory>
Alias /RECORDINGS /var/spool/asterisk/monitorDONE
Alias /recordings /var/spool/asterisk/monitorDONE
Restart the httpd services once necessary edit done.
systemctl restart httpd
|2. Password Protect with .httaccess
The Next options to Secure the Recordings folder is with Password authentication ,ie authenticating the user who access the RECORDINGS web Folder path.
For authentication we can use the Linux .httaccess option .
Follow the below steps to enable Password Protection to RECORDINGS folder
Step 1: Create a New folder to store the credentials file
mkdir /usr/src/password
Step 2 : Create a credentials file
touch /urs/src/password/credentials
Step 3: using htpasswd command to generate username and password
htpasswd -B /usr/src/password/credentials admin
New password:
Re-type new password:
enter your passwords.
run again httpasswd for other users eg bob
htpasswd -B /usr/src/password/credentials bob
New password:
Re-type new password:
Step 4 : update the vicidial apache config to use the above credentials.
vi /etc/apache/conf.d/vicirecord.conf
add the follow lines.
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "MP3 Team Leader Only"
AuthUserFile /usr/src/password/credentials
Require valid-user
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>
Step 4: Restart the httpd and enable compact mode
systemctl restart httpd
a2enmod mod_access_compat
|3. Disabling Folder Listing
As you may notice while browsing http://vicidialip/RECORDINGS/
it will display all the folders within Recordings folder, (MP3,WAV,GSM,ORGI)
Further clicking Respective Folders, it will display all the recordings to able to download any files.
By disabling the Folder listing, only the users having the exact link with filename can access and the download file.
for eg:
https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3
Steps to disable the Folder listing.
vi /etc/asterisk/apache2/vicirecord.conf
and the line Options -Indexes as show below in Bold with underlined.
Followed to the restart the apache
systemctl restart httpd
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options -Indexes
AllowOverride None
Require all granted
<files *.mp3>
Forcetype application/forcedownload
</files>
php_admin_value engine Off
</Directory>
|| 4. Changing the RECORDINGS Folder Path.
This is the Yet another method of securing the RECORDIGNS folder , by changing the default name RECORDINGS path to some unique name which only known to admin, eg:dhfskskdhdhhshdshdhd.
So the admin or trusted user will access the Recordings by typing the below url
https://192.168.12/dhfskskdhdhhshdshdhd/RECORDINGS/
So the hacker or user who access the default /RECORDINGS path will get object not found response.
Below are the steps to follow for renaming
Step 1: Edit the Apache conf file with New Recording path
vi /etc/apache2/conf.d/vicirecord.conf
edit the first line as show below
FROM:
Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
TO:
Alias /dhfskskdhdhhshdshdhd/RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
Step 2; updating the Vicidial to use the New path as download link for recordigns in reports.
Goto ADMIN > SERVERS
Edit the Below settings
Recording Web Link: ALT_IP
Alternate Recording Server IP: Serverip/dhfskskdhdhhshdshdhd
note: enter your server ip or FQDN
After changing the above settings, you may notice the Recordings download links in report and user stats changed to new web path
Summary:
Hope you have got the options to secure the RECORDINGS folder, choose the options which best suits you, Personally i recommend to use iptables or any firewall or inbuild vicibox VB-firewall to better protect the Vicidial servers.
video link
Also Check Below topics