HACKED! Security Issue

[alevene]

I found this morning that I was hacked, and realized a huge security issue in PIAF. Here's the story...

I happened to lock myself out while trying to use Putty, as I had set the fail2ban.conf entry to ban for life (-1) after 1 login attempt. As I save the password in WinSCP that wasn't a problem.

This morning I used a new PC to access the PIAF and typo'd the password and fail2ban locked me out forever. When I looked at the fail2ban.conf at the PIAF console I found that it had been changed to allow a foreign address to completely bypass password logout restrictions via the ignoreip= line item. I removed it and restarted the fail2ban service.

When I started to think about how this hacker had got in with very these heavy restrictions and a complex root password, I wondered what he could have done. And I had a epiphany!

Here's the major bug. Assuming the hacker had a knowledge of PIAF he would know that the disk-backup.conf file had PLAIN TEXT a network user name and password to allow SMB connections via Samba to copy the ISOs to the server. And with those login names and passwords it would give the hacker access to the Windows network to just copy interesting files to the PIAF box and then out the door.

So I suggest not automatically using mondoarchive, but just run it manually on the console once in a while and then copying the ISOs to your Windows network.

I have no idea how his hacker slipped past the defenses. The logs do no show ANY attempt on the filewall from his IP (he could have removed entries), but his IP is all over the other logs.

Ideas?

 

[jroper]

In your case, did you have the Samba ports open to the big wide world?

Is your PBX on a Public IP address?

Is there any kind of firewalling between you and the outside world?

Joe

 

[alevene]

Reply

Samba is only being used internally, and has complex passwords.

The product is firewalled with IPtables, and fail2ban.

It's public interface is on the Internet, it is the only way to allow remote phones to work properly.

1 The point is that someone got in and edited the fail2ban config file to allow unlimited password attempts, rather than 3 or less. That was a hack that I haven't figured out how it was done.

2 The big flaw is that the disk-backup.conf file is not hashed.

 

[blanchae]

It's public interface is on the Internet, it is the only way to allow remote phones to work properly.

Only way? Sounds like a broadband router firewall with NAT may help.

 

[jroper]

So can you confirm that you have a multihomed machine, or are your phones connecting via NAT from your internal network.

If it is a multi-homed PBX, you will need to adjust IP tables to suit. e.g. don't allow access to SAMBA on the public side.

Joe

 

[wardmundy]

:dotsb: If SAMBA is exposed to the public Internet with root privileges, ALL of your passwords are at risk, not just information found in the disk-backup.conf file. This security risk has nothing to do with disk backups and everything to do with SAMBA!!

Just to reiterate, it is the STRONGEST RECOMMENDATION of the PBX in a Flash Development Team that servers never be placed directly on the public Internet. Rather, they should be installed on a private LAN behind a secure hardware-based firewall/router and the Linux firewall and the latest Fail2Ban applications should always be activated. Your system can make calls in and out with no problems in this configuration.

 

[alevene]

Hack update

I found that the hacker got in through the web interface, so firewalls don't make any difference unless you block access to the admin section from the outside. And this is with a 25 character alpha numeric password.

Also, I've never been able to get the outside phones to connect through NAT, which is why the box is on the edge.

Ward, do you have any papers on how it done in the real world?

 

[wardmundy]

We don't recommend opening port 80 to the outside world except through an SSH or VPN tunnel. There's just too much code written by too many people in the FreePBX environment to be able to call it secure. For a secure setup for web access from outside your firewall, see my Security Suggestion in the initial comment of this thread.

There are numerous threads in these forums on how to set up your server with a hardware-based firewall. Also take a look at knol.pbxinaflash.com. The ports that we use through the firewall to our server include the following. You will note that NO HTTP PORT IS OPEN.

UDP 10000-20000 - RTP (unless you need particular ones for other apps; some providers use ports above 20000!)
UDP 30000-40000 - RTP (unless you need particular ones for other apps; some providers use ports above 20000!)
UDP 40200-62204 - RTP (unless you need particular ones for other apps; some providers use ports above 20000!)
UDP 5004-5037 - SIP
UDP 5039-5082 - SIP
UDP 4569 - IAX2
UDP 2727 - Media Gateway (only if you need it)
TCP 22 - SSH (only if masquerading as a high-numbered port on the outside of your firewall with the latest Fail2Ban running)

 

[jroper]

Have you got any logs or forensic on exactly how your machine was hacked. What is it that leads you to believe that access was gained through the Web interface.

It is important to understand how it was done so that steps can be taken to block the security hole.

Joe

 

[jmullinix]

I install these all of time and always behind a NAT router or a NAT firewall. It is not magic, but it will not work at all behind some firewalls. Microsoft's ISA is one of them by the way.

 

[foneman]

Same

I too install these behind our intellinet router/firewalls. Follow all advice in Wards articles and in here and someone should not gain web access.

 

[blanchae]

Here's a start: configuring a firewall to pass VOIP traffic.

 

[blanchae]

Let's get on this! Thanks alevene for sharing your experience with us. If we can find out exactly how he got hacked we can make sure it doesn't happen again by constructing defenses against it. Together we can make your setup secure and others will benefit.

 

[jroper]

I have to say that I have installed many systems attached directly to the internet. With A2Billing, you have to. And anyone who is using a hosted server from Lylix and Arreta will be in the same boat.

However, for greater peace of mind, putting everything behind a firewall makes for a better night's sleep.

In respect of Ward's comment regarding FreePBX code and the potential for security flaws, that should not come into it in this case, as it is all protected by .htaccess if this is a later install or with update scripts and fixes applied in the last couple of months. So if there is a security flaw in the Web interface, then in a standard build, this is an Apache problem, not a freepbx problem, as you cannot get to any freepbx code to hack it until you get past apache htaccess security.

The only web pages that are not covered under .htaccess permissions in a standard install are the Kennonsoft interface, and he knows what he is doing, so I don't expect problems there.

So to ensure that we do not have this problem again, we really need to understand how you were hacked.

Joe

 

[wardmundy]

There was a serious FreePBX vulnerability several months ago. This has been addressed if you ran our update-fixes or passwd-master scripts. From reports we've seen, systems were accessed and extension numbers and passwords were captured. Then the intruders laid low for quite a while. In the past week or two, they've started making SIP calls with the credentials they obtained... assuming the passwords for your extensions were not changed after the intrusion.

If you had port 80 exposed to the Internet, chances are the bad guys walked right in. :devilb:

 

[alevene]

Port 80 problem?

I suppose that a flaw in using Webmin via http/Apache could have been the problem. I routinely ran the update-scripts and associated commands, but the hacker could have found the flaw and exploited it before the patch fixed it.

I should note that a friend was hacked a few days after my box was compromised and they had started robocall vishing for CC information. His box was BEHIND a Netopia firewall router with the latest firmware and had very few ports open. It still got slammed. Note: Alan, if you read this, tell your story.

In any instance, since the logs showed multiple touches by the hacker (who hadn't cleared all of the logs with his IP out, and I hope, being visited soon by people who'll ask him to put his hands behind his back) and I don't know what is hidden on the system, I'm resigned to going back to an old ISO and will bring it up to date.

Here are my suggestions -
1 Change the default Webmin port from 80 to something else.
2 Add another user name to Webmin, give it admin privileges, log in to test, and then delete to root Webmin account.
3 Change the root and maint accounts to other names, if possible, so the hacker won't have a head start. My one knew Asterisk and had found the weaknesses. Perhaps Ward can write a script?
4 Advise your provider to block international calls, and to automate an email contact if your system suddenly starts to make many simultaneous calls.
5 Change the log rotation to once a month, with 6 months of copies. Email them to yourself so that a hacker won't be able to edit them.
6 Keep you fingers crossed. Fixing this stuff is an education, but one that takes many hours of work.