How to secure the vicidial recordings folder path

  Overview:

VICIDIAL is a software suite that is designed to interact with the Asterisk Open-Source PBX Phone system to act as a complete inbound/outbound contact center suite.
Vicidial records the calls using asterisk Monitor and make recordings download links visible via web portal under /RECORDINGS http path ie: https://serverip/RECORDINGS/
By default the /RECORDINGS/ path is open to access ie: without any authentication the page will be opened.

Youtube Video Link

  Options to Protect:

There are Four Options to protect the /RECORDINGS/ folder.

1. using ACL , that is: deny /allow restricting to particular ip or subnet

2. Authenticate the folder with linux htaccess 

3. Disable the Folder listing ,ie only allow the full url with Recording filename.

example

https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3

4. Changing the Folder path of  RECORDINGS to some unique name eg: ywiyteieisisiksk

example

https://192.168.12/ywiyteieisisiksk/RECORDIGNS/MP3/20210810-190911_122334455_camp_10114-all.mp3

  1.ACL Method

Using ACL method you can restrict the RECORDINGS folder access to specific ip address or subnets or list of ip address.

the syntax is done with deny and allow option in apache as show below

vicibox      :  vi /etc/apache2/conf.d/vicirecord.conf

goautodial  : vi /etc/httpd/conf.d/vicidial_recordings.conf

Scratch install: vi /etc/httpd/conf/httpd.conf

Restart the httpd services once necessary edit done.

systemctl restart httpd

  2. Password Protect with .httaccess

The Next options to Secure the Recordings folder is with Password authentication ,ie authenticating the user who access the RECORDINGS web Folder path.
Follow the below steps to enable Password Protection to RECORDINGS folder

For authentication we can use the Linux .httaccess option .

Step 1: Create a New folder to store the credentials file

Step 2 : Create a credentials file

touch /urs/src/password/credentials

Step 3: using htpasswd command to generate username and password

run again httpasswd for other users eg bob

htpasswd -B /usr/src/password/credentials bob

New password:

Re-type new password:

Step 4 :  update the vicidial apache config to use the above credentials.

vi /etc/apache/conf.d/vicirecord.conf

add the follow lines.

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "MP3 Team Leader Only"
AuthUserFile /usr/src/password/credentials
Require valid-user
<files *.mp3>
Forcetype application/forcedownload
</files>
</Directory>

Step 4: Restart the httpd and enable compact mode

systemctl restart httpd     

a2enmod mod_access_compat

  3. Disabling Folder Listing

As you may notice while browsing http://vicidialip/RECORDINGS/
it will display all the folders within Recordings folder, (MP3,WAV,GSM,ORGI)

Further clicking Respective Folders, it will display all the recordings to able to download any files.
By disabling the Folder listing, only the users having the exact link with filename can access and the download file.
for eg:

https://192.168.12/RECORDINGS/MP3/20210810-190911_122334455_camp_10114-all.mp3

Steps to disable the Folder listing.

vi /etc/asterisk/apache2/vicirecord.conf

add the line Options -Indexes  as show below in Bold with underlined.

Followed to the restart the apache

systemctl restart httpd

 Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"
<Directory "/var/spool/asterisk/monitorDONE">
        Options -Indexes
        AllowOverride None
        Require all granted
        <files *.mp3>
        Forcetype application/forcedownload
        </files>
        php_admin_value engine Off
</Directory

  4. Changing the RECORDINGS Folder Path.

This is the Yet another method of securing the RECORDIGNS folder , by changing the default name RECORDINGS path to some unique name which only known to admin, eg:dhfskskdhdhhshdshdhd.

So the admin or trusted user will access the Recordings by typing the below url

https://192.168.12/dhfskskdhdhhshdshdhd/RECORDINGS/

So the hacker or user who access the default /RECORDINGS path will get object not found response.
Below are the steps to follow for renaming 

Step 1: Edit the Apache conf file with New Recording path

vi /etc/apache2/conf.d/vicirecord.conf

edit the first line as show below

FROM:

Alias /RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

TO:

Alias /dhfskskdhdhhshdshdhd/RECORDINGS/ "/var/spool/asterisk/monitorDONE/"

Step 2:  updating the Vicidial to use the New path as download link for recordigns in reports.

Goto ADMIN >  SERVERS

Edit the Below settings

Recording Web Link: ALT_IP

Alternate Recording Server IP: Serverip/dhfskskdhdhhshdshdhd

note: enter your server ip or FQDN
After changing the above settings, you may notice the Recordings download links in report and user stats changed to new web path 

  Summary:

Hope you have got the options to secure the RECORDINGS folder, choose the options which best suits you, Personally i recommend to use iptables or any  firewall or inbuild vicibox VB-firewall  to better protect the Vicidial servers.

Youtube Video Link

Also Check Below topics

Vicidial Recording encryption

Vicidial Webrtc Configuration

Vicibox inbuilt VB-Firewall dynamic Portal