[asterisk-biz] PBX got Hacked
BJ Weschke
bweschke at gmail.com
Fri Feb 13 10:07:10 CST 2009
Steve Totaro wrote:
>
>
> On Thu, Feb 12, 2009 at 8:53 PM, BJ Weschke <bweschke at gmail.com
> <mailto:bweschke at gmail.com>> wrote:
>
> Trixter aka Bret McDanel wrote:
> > On Thu, 2009-02-12 at 17:08 -0500, Jared Geiger wrote:
> >
> >> I saw multiple attacks from OVH.NET <http://OVH.NET> IP
> addresses over the last few
> >> weeks as well. I have used a few of the tips in this article to
> secure
> >> PBXs before as well http://nerdvittles.com/?p=580
> >> (fail2ban/IPTables).
> >>
> >> For switchvox the root account seems to have a key, not a
> password to
> >> login. You can always boot in single user mode, create a new
> user and
> >> add that user to the sudoers file then disable root from being
> able to
> >> login via ssh.conf.
> >>
> >>
> > First let me say I have never used switchvox, but if its linux based
> > then the following should apply.
> >
> > can you not just get a shell? If you can you shouldnt have to
> boot into
> > single user mode unless they are doing chattr stuff to only allow
> > editing of the password file on a secure runlevel, and this is
> rare that
> > its done.
> >
> > /etc/passwd, /etc/shadow, /etc/group, /etc/sudoers are all just text
> > files and its easy to append a line for new users to those
> files, just
> > as its easy to use the useradd/adduser programs to add users.
> sshd.conf
> > is also a text file which requires sshd to restart to take
> effect but
> > this usually does not drop connections already in process. This
> can be
> > as simple as /etc/init.d/sshd restart or something similar.
> >
> >
> >
> >> You should be able to then setup IPTables on Switchvox as well
> after
> >> going in and creating the second account.
> >>
> >>
> >
> > the problem is that you would need it to know to use sudo if it
> doesnt,
> > I do not know if its smart enough to say "you arent root so let
> me sudo
> > this command".
> >
> >
> >
> All valid points, but don't forget what the whole objective of
> Switchvox is. While you might very well be able to do what you're
> suggesting above, you might also be voiding warranty/support when
> you also inadvertently but effectively lock out the Switchvox
> folks from being able to support you. If you never want support or
> interaction from Switchvox again, this might be a viable solution
> for you, but I don't get the impression that most people that buy
> Switchvox in the first place are looking for a "disconnected"
> relationship from them after the initial purchase.
>
> If Switchvox is recommending that you put their appliance behind
> a firewall and you choose not to, then that's like a plumber
> installing a shower and not caulking the gap between the floor and
> the wall when the manual has suggested that you do so. It may take
> a while for the water leaking through to develop into black mold,
> rot out the wood behind it, and other nice things like that, but
> it's probably only a matter of time before it actually happens.
>
>
> BJ
>
> --
> Bird's The Word Technologies, Inc.
> http://www.btwtech.com/
>
>
> Huh, what is this propaganda? Black mold by locking down a Linux
> system? I call BS.
>
> First, SwitchVox will not connect to your box unless you get past the
> gatekeepers, AKA "Level 1 Techs Who Answer the Phone" who will keep
> you jumping though hoops for week or even months. Flatly telling you
> that they "cannot access your box, they do not have the password".
>
> Besides that, if your box is firewalled, then you have to grant them
> access, that is if they grant you the favor to really support their
> product....
>
> If you do get past the gatekeepers, then you are probably pretty tired
> of SwitchVox by now and you have been suffering for weeks with a
> crippled mission critical system.
>
> During this hell hole of back and forth "Support", you have plenty of
> time to do a SwitchVox backup and then re-install via installation
> media, upgrade, and finally restore your backup.
>
> I think is more of a brushoff of "Unsupported" configurations, which
> means you are to blame if don''t head the warnings.
>
> 1. Charge for support
> 2. Don't provide suppot
> 3. Profit
>
> I think most experienced *nix administrators can handle their own
> IPTables, OpenVPN, and whatever else.
>
I think maybe you misread my post. I don't think it's propaganda at all. Switchvox, apparently, instructs you to put their device behind a firewall. If you don't, then just like doing a poor plumbing job, you're a prime candidate for "leaks" and things that come with "leaks" down the line.
With regard to your post, "I think most experienced *nix administrators can handle their own IPTables, OpenVPN, and whatever else.". Yes. I totally agree, but as someone already raised the point, how many of the authorized SwitchVox resellers actually have "experienced *nix administrators" on staff? I sincerely doubt that's one of their requirements to become a reseller, and while I do understand it, I think to not have at least one of those types of people on staff with those types of skills *should* be a requirement for a good reseller.
--
Bird's The Word Technologies, Inc.
http://www.btwtech.com/
More information about the asterisk-biz
mailing list