[asterisk-biz] PBX got Hacked

[voip-asterisk at maximumcrm.com]

> On Sat, 2009-02-07 at 21:54 -0500, Alex Balashov wrote:
>> Agreed strongly.
>>
>> 1) For one, it sounds like you allowed remote root logins directly via
>> SSH via password.  Many people seem to do this for convenience.  This is
>> VERY BAD and should NEVER, EVER be allowed under any circumstances.
>> Only password access to user accounts should be permitted 100% of the time.
>>
>> 2) Secondly, SSH should really not be open to the public at all.  With
>> some hosts, that just can't be helped (public access boxes).  For a PBX,
>> there is absolutely no reason why SSH should be open to anyone but you.
>>
>> My SSH on all servers is firewalled to everyone in the world and I can
>> only get in through an OpenVPN management VPN.  If for some reason that
>> fails or I am on a host that doesn't have a client, there are a few IPs
>> that are allowed in as a back door.  That's it.
>>
>
>
> Having the ssh server at the default port and accepting password
> authentication its a security problem waiting to happen.
> Looking at firewall logs you can see that the ssh port is scanned
> routinely and brute force attacks happen all the time.
> If you need to have ssh access open, move it a another port,disable
> password auth and use only publickey auth.
> Also as I see more and more companies implementing a strict "no incoming
> ports open" policy (which is good), an option is to have a reverse ssh
> tunnel.
> http://skoroneos.blogspot.com/2009/01/doing-reverse-ssh-tunnel-embedded-way.html
>
>
> I have implemented this in our embedded asterisk distro and now works
> with the dialplan also.
> i.e you trigger the connection from inside by dialing a number

There are other ways too, including port knocking.

For SIP bruteforce attack, I use fail2ban to monitor the logs and firewall 
any attacks,in addition to having strong passwords and long sip user ids.