[asterisk-biz] PBX got Hacked

BJ Weschke bweschke at gmail.com
Fri Feb 13 10:07:10 CST 2009 

Steve Totaro wrote:
>
>
> On Thu, Feb 12, 2009 at 8:53 PM, BJ Weschke <bweschke at gmail.com 
> <mailto:bweschke at gmail.com>> wrote:
>
>     Trixter aka Bret McDanel wrote:
>     > On Thu, 2009-02-12 at 17:08 -0500, Jared Geiger wrote:
>     >
>     >> I saw multiple attacks from OVH.NET <http://OVH.NET> IP
>     addresses over the last few
>     >> weeks as well. I have used a few of the tips in this article to
>     secure
>     >> PBXs before as well http://nerdvittles.com/?p=580
>     >> (fail2ban/IPTables).
>     >>
>     >> For switchvox the root account seems to have a key, not a
>     password to
>     >> login. You can always boot in single user mode, create a new
>     user and
>     >> add that user to the sudoers file then disable root from being
>     able to
>     >> login via ssh.conf.
>     >>
>     >>
>     > First let me say I have never used switchvox, but if its linux based
>     > then the following should apply.
>     >
>     > can you not just get a shell?  If you can you shouldnt have to
>     boot into
>     > single user mode unless they are doing chattr stuff to only allow
>     > editing of the password file on a secure runlevel, and this is
>     rare that
>     > its done.
>     >
>     > /etc/passwd, /etc/shadow, /etc/group, /etc/sudoers are all just text
>     > files and its easy to append a line for new users to those
>     files, just
>     > as its easy to use the useradd/adduser programs to add users.
>      sshd.conf
>     > is also a text file which requires sshd to restart to take
>     effect but
>     > this usually does not drop connections already in process.  This
>     can be
>     > as simple as /etc/init.d/sshd restart  or something similar.
>     >
>     >
>     >
>     >> You should be able to then setup IPTables on Switchvox as well
>     after
>     >> going in and creating the second account.
>     >>
>     >>
>     >
>     > the problem is that you would need it to know to use sudo if it
>     doesnt,
>     > I do not know if its smart enough to say "you arent root so let
>     me sudo
>     > this command".
>     >
>     >
>     >
>      All valid points, but don't forget what the whole objective of
>     Switchvox is. While you might very well be able to do what you're
>     suggesting above, you might also be voiding warranty/support when
>     you also inadvertently but effectively lock out the Switchvox
>     folks from being able to support you. If you never want support or
>     interaction from Switchvox again, this might be a viable solution
>     for you, but I don't get the impression that most people that buy
>     Switchvox in the first place are looking for a "disconnected"
>     relationship from them after the initial purchase.
>
>      If Switchvox is recommending that you put their appliance behind
>     a firewall and you choose not to, then that's like a plumber
>     installing a shower and not caulking the gap between the floor and
>     the wall when the manual has suggested that you do so. It may take
>     a while for the water leaking through to develop into black mold,
>     rot out the wood behind it, and other nice things like that, but
>     it's probably only a matter of time before it actually happens.
>
>
>      BJ
>
>     --
>     Bird's The Word Technologies, Inc.
>     http://www.btwtech.com/
>
>
> Huh, what is this propaganda?  Black mold by locking down a Linux 
> system?  I call BS.
>
> First, SwitchVox will not connect to your box unless you get past the 
> gatekeepers, AKA "Level 1 Techs Who Answer the Phone" who will keep 
> you jumping though hoops for week or even months.  Flatly telling you 
> that they "cannot access your box, they do not have the password".
>
> Besides that, if your box is firewalled, then you have to grant them 
> access, that is if they grant you the favor to really support their 
> product....
>
> If you do get past the gatekeepers, then you are probably pretty tired 
> of SwitchVox by now and you have been suffering for weeks with a 
> crippled mission critical system.
>
> During this hell hole of back and forth "Support", you have plenty of 
> time to do a SwitchVox backup and then re-install via installation 
> media, upgrade, and finally restore your backup.
>
> I think is more of a brushoff of "Unsupported" configurations, which 
> means you are to blame if don''t head the warnings.
>
> 1.  Charge for support
> 2.  Don't provide suppot
> 3.  Profit
>
> I think most experienced *nix administrators can handle their own 
> IPTables, OpenVPN, and whatever else. 
>
 I think maybe you misread my post. I don't think it's propaganda at all. Switchvox, apparently, instructs you to put their device behind a firewall. If you don't, then just like doing a poor plumbing job, you're a prime candidate for "leaks" and things that come with "leaks" down the line.

 With regard to your post, "I think most experienced *nix administrators can handle their own IPTables, OpenVPN, and whatever else.". Yes. I totally agree, but as someone already raised the point, how many of the authorized SwitchVox resellers actually have "experienced *nix administrators" on staff?   I sincerely doubt that's one of their requirements to become a reseller, and while I do understand it, I think to not have at least one of those types of people on staff with those types of skills *should* be a requirement for a good reseller. 

 

--
Bird's The Word Technologies, Inc.
http://www.btwtech.com/

More information about the asterisk-biz mailing list