[asterisk-biz] PBX got Hacked

Peter Beckman beckman at angryox.com
Tue Mar 10 20:52:37 CDT 2009


Trixter wrote:

> because the data gets out of date fast enough, and people may be
> watching an older version. [snip] Security is not a one size fits all
> thing, its got to be a thing that is integrated into the particular set
> up that exists, and its something that has to be maintained, its not a
> set it and forget it thing.  Look at history, a "secure" system 6 months
> ago is hardly considered secure today in general, and new technologies
> and threats are coming out all the time to change the balance which has
> to be kept on top of.

  I disagree.  Security fundamentals -- shut everything off, then open where
  necessary, then secure the things that are open and keep them up to date
  -- haven't changed in years.  In fact, every server in the world should
  follow four simple yet vital steps to secure their server.

  Using a firewall (iptables, pf) to block everything at the OS/kernel
  level, other than what needs to be open, is and should be the first step.
  SSH is a necessity for most, so turn on key-based authentication only,
  lose the password auth.

  Fail2ban is a python script, which, while fine, isn't C. sshguard already
  does repeated failure of authentication blocking using your existing
  firewall.  It works very well for ssh and can be easily adapted to monitor
  any log file and block IPs with too many failed auth attempts, as well as
  secure your SSH connection.

  http://sshguard.sourceforge.net/

  These four things:
     * Firewall (iptables/netfilter, pf, ipfw, tcpd); block everything, open
       as necessary
     * Brute Force or Repeated Failure blocking (any IP-based service)
     * Secure, key-based ONLY remote access (ssh)
     * 12+ character alphanumeric random passwords for ANYTHING not able to
       be locked down by IP

  are not only Standard Operating Procedure for the security-minded system
  administrator, but would easily prevent most of the fraud mentioned in
  this thread.  Nothing is 100%, but this sure as hell is 99%.  Keeping your
  OS, Asterisk, ssh and sshguard software up to date is the other 0.99%.

  Those four things have not changed in the security world in YEARS.

  Of course, if someone is sniffing your SIP packets, you are still hosed.
  Then you just need to figure out how to put some daily dollar spend limits
  on your customers.


  ASIDE, sort of related.  Most people who are NAT'ed are in the US.  It
  probably wouldn't be a ton of effort to get an IP to location DB
  (maxmind?) and restrict auth's to a certain geographic IP block.  Sure,
  this might cause some issues if the DB is wrong or a new IP block isn't in
  the DB, but if you are getting hacked regularly, it's another level.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                 http://www.angryox.com/
---------------------------------------------------------------------------



More information about the asterisk-biz mailing list