Ok, I can say from experience that letting the default Raspberry PI configuration for Allstar and Superman be subject to open access on the internet will allow malicious folk to cut through the security faster than a hot knife through butter.
I can also confirm that the problems I am facing occur as part of the normal Raspberry distribution of Raspian and are not limited to the VOIP distribution.
I believe I now have this under control. My steps were:
scan my ip provider’s router to ensure that the management port was not accessible;e for the internet: there is a potential compromise to this router that makes it vulnerable from external access
I configure this router only when it is not connected to the internet so as not to compromise the admin password: there is a password spoofing hack used to get the admin password and then compromise the router using this
I placed a second internal router inside the router provided by the internet service provider
- I created a segregated network for the Allstar node
- I provide port forwarding rules by IP address to the Allstar node so it is not visible to unauthorized systems
- I disabled the volatile file system for /var/log my editing fstab
- this ensures I have persistent logs so I can track problems as they occur
- I need to put in log rotation: the Apache manual has a script to do this
- I disabled the named daemon and configured the Rapsian to use the firewall for DNS
- DNS spoofing is a classic hack
- the ISP is better at securing DNS services than I am
- I removed the mounting at start up of all apache modules involved with proxy: proxy is not needed for first order Superman operation
- user directories and aliases are required, which is unfortunate
- I followed the advice of: 10 Best Practices To Secure and Harden Your Apache Web Server but am not using HTTPS
When I last opened Superman access to the internet I was attacked within minutes and hacked within probably hours. Securing apache with apache software access configuration provided only incomplete protection and was not sufficient.
This new configuration has seemed stable under test so far.
If anyone has other suggestions for hardening the system or apache, I would love to hear it!
Thanks for your patience.