Re: [asterisk-biz] PBX got Hacked

I'm not standing up for SwitchVOX but I would point out that, on that platform, the root password is both unknown/undocumented, and there is no way to activate it for end-user access short of booting from a recovery CD and using single-user mode or chroot and running passwd.

In other words, SSH is useless on that platform so this machine had to be hacked some other way. Also - with no shell access, there is no access to the apache or asterisk logs, and no way to install fail2ban. If you're running switchvox, you NEED to put it behind a firewall with logging.

If you need help securing switchvox, or building a firewall with proper logging support, let us know. Anteil is happy to help.

Andy

Andrew M. Lauppe Consultant 4051B Executive Park Dr. Harrisburg, PA 17111 +1 (877) OS-LINUX x23 +1 (484) 421-9919 direct

voip-asterisk@maximumcrm.com wrote:

On Sat, 2009-02-07 at 21:54 -0500, Alex Balashov wrote:     

Agreed strongly.  1) For one, it sounds like you allowed remote root logins directly via SSH via password.  Many people seem to do this for convenience.  This is VERY BAD and should NEVER, EVER be allowed under any circumstances. Only password access to user accounts should be permitted 100% of the time.  2) Secondly, SSH should really not be open to the public at all.  With some hosts, that just can't be helped (public access boxes).  For a PBX, there is absolutely no reason why SSH should be open to anyone but you.  My SSH on all servers is firewalled to everyone in the world and I can only get in through an OpenVPN management VPN.  If for some reason that fails or I am on a host that doesn't have a client, there are a few IPs that are allowed in as a back door.  That's it.        

 Having the ssh server at the default port and accepting password authentication its a security problem waiting to happen. Looking at firewall logs you can see that the ssh port is scanned routinely and brute force attacks happen all the time. If you need to have ssh access open, move it a another port,disable password auth and use only publickey auth. Also as I see more and more companies implementing a strict "no incoming ports open" policy (which is good), an option is to have a reverse ssh tunnel. http://skoroneos.blogspot.com/2009/01/doing-reverse-ssh-tunnel-embedded-way.html   I have implemented this in our embedded asterisk distro and now works with the dialplan also. i.e you trigger the connection from inside by dialing a number     

 There are other ways too, including port knocking.  For SIP bruteforce attack, I use fail2ban to monitor the logs and firewall  any attacks,in addition to having strong passwords and long sip user ids.  _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com--  asterisk-biz mailing list To UNSUBSCRIBE or update options visit:    http://lists.digium.com/mailman/listinfo/asterisk-biz