Question 1:
My carrier is telling me I've made hundreds of outbound international calls!
How?
Let's look at this connection:
Remote User's SIP phone (i.e. Polycom 331) -----> Internet
------> Router/Firewall in front of the PBx ------> PBx
The remote user's SIP phone connects to your PBx via port UDP 5060 (this is fixed as it is a standard, just like HTTP always uses port 80). Authentication between the remote user and the PBx is done by using a valid username and password (which is listed in sip.conf).
Let's look at another connection:
Hacker's SIP device ---------------------------------> Internet
------> Router/Firewall in front of the PBx -----> PBx
The hacker's SIP device also connects to your PBx via port UDP 5060. ALL the hacker needs, is the correct username and password to use, and he/she will be able to register as a valid device to your PBx. Once the hacker's SIP device is registered, he/she would be able to make international calls at will.
What Can I Do?
1a. Do you have voicemail callout enabled? Are the hackers simply getting into the voicemail system and then iniating an outbound call? Disable voicemail callout here.
1b. First, you need to check the logs on the PBx to see if anyone has been trying to remotely connect to your PBx. (Instructions to setup root access is here)You need to access your PBx's root command line and run these commands:
[root@pbxtraXXXX ~]# grep failed /var/log/asterisk/messages*
If you see these lines:
/var/log/asterisk/messages:[Jul 21 04:39:50] NOTICE[4324] chan_sip.c: Registration from '"127"<sip:127@X.X.X.X>' failed for '174.121.165.202' - No matching peer found
/var/log/asterisk/messages:[Jul 21 04:39:50] NOTICE[4324] chan_sip.c: Registration from '"128"<sip:128@X.X.X.X>' failed for '174.121.165.202' - No matching peer found
/var/log/asterisk/messages:[Jul 21 04:39:50] NOTICE[4324] chan_sip.c: Registration from '"129"<sip:129@X.X.X.X>' failed for '174.121.165.202' - No matching peer found
...
This indciates someone from 174.121.165.202 has been TRYING to remotely connect to your server using username: 127, 128, 129, etc.
*rasterisk
Imagine if the server's getting thousands of the above failed connection attempts per minute, the volume of those failed connection attempts will lock up the PBx server from being able to do anything else. (This is fixed if the customer is on Asterisk 1.6 CP5.x)
Run this command next:
[root@pbxtraXXXX ~]# grep "Registered SIP" /var/log/asterisk/messages*
You should see output similiar to below:
/var/log/asterisk/messages.1:[Jul 17 04:55:21] VERBOSE[4324] logger.c: -- Registered SIP '0004F72A00057' at 74.115.96.19 port 5060
...
This tells you someone from the IP address 74.115.96.19 was able to register a SIP device under the account: 0004F72A00057. Check this IP address 74.115.96.19, does it belong to a legtimate remote user or is it from an unknown IP address?
Run this command:
[root@pbxtraXXXX ~]# whois 74.115.96.19
This may tell you the location and company who owns this IP address.
2. On the Router/Firewall, ONLY allow inbound traffic on port UDP 5060 from the remote user's public IP address. HOWEVER, if the remote user has a dynamic public IP address (meaning his/her public IP address will change periodically), this method wouldn't work.
3. If you find the hacker's IP address, block it on your router/firewall. HOWEVER, typically hackers can use thousands of different IP addresses. Blocking one address just means the hacker will use another.
4. While securying the PBx is your network administrator's responsibility, Fonality Professional Service also has a SIPLock product which provides security features. Information is here:
5. If you have NO remote users and are using a SIP trunk, CLOSE PORT 5060 on your firewall! If you have no remote users but has a SIP trunk, configure your firewall/router to only allow inbound UDP traffic on UDP 5060 from your SIP carrier's IP address.
Question 2:
My server is compromised!
How:
There's many possible methods hackers can gain access to your server. The most common example is when the hacker is able to connect to your PBx through ssh.
Consider this setup:
Remote Administrator Computer's Putty program -----> Internet -----> Router/Firewall ----> PBx
If you have configured a *root* password and opened ssh port 22 (this port is fixed as it is a standard, just like HTTP always uses port 80). Then you can log into the server's root command line:
[root@pbxtraXXXX ~]#
*by default, all Fonality PBx servers do NOT have a root password set, making it impossible to log in. Why? Because you can't log in with a password when a password doesn't exist!
So What Can I Do?
1. First, check if someone has been trying to log into your server.
[root@pbxtraXXXX ~]# grep failure /var/log/messages*
if you see this:
/var/log/messages.1:Jul 15 14:46:16 pbxtraXXXX sshd(pam_unix)[2490]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=74.115.96.19 user=root
It indicates someone was trying to log into your server from IP: 74.115.96.19, as user: root
then run this:
[root@pbxtraXXXX ~]# grep "session opened for user" /var/log/messages*
Jul 21 11:31:30 trixbox144605 sshd(pam_unix)[17985]: session opened for user root by root(uid=0)
It indicates someone logged into the server via SSH
You can also run this:
[root@pbxtraXXXX ~]# grep "Accepted password" /var/log/secure*
Jul 21 18:31:30 trixbox144605 sshd[17979]: Accepted password for root from ::ffff:74.115.96.19 port 50630 ssh2
This would indicate someone from the IP address 74.115.96.19 was able to log into your server.
2. BLOCK remote access to SSH port TCP 22 on your router/firewall. If you need to remotely access your server, open this port on your firewall temporarily and then close it when done.
3. In root, you can also enter this command:
[root@pbxtraXXXX ~]# lastlog
Username Port From Latest
root pts/1 192.168.219.147 Thu Jul 21 13:36:58 -0500 2011
bin **Never logged in**
daemon **Never logged in**
adm **Never logged in**
lp **Never logged in**
sync **Never logged in**
shutdown **Never logged in**
halt **Never logged in**
mail **Never logged in**
news **Never logged in**
uucp **Never logged in**
operator **Never logged in**
games **Never logged in**
gopher **Never logged in**
ftp **Never logged in**
nobody **Never logged in**
rpm **Never logged in**
vcsa **Never logged in**
nscd **Never logged in**
sshd **Never logged in**
rpc **Never logged in**
rpcuser **Never logged in**
mailnull **Never logged in**
smmsp **Never logged in**
pcap **Never logged in**
apache **Never logged in**
xfs **Never logged in**
named **Never logged in**
ntp **Never logged in**
postfix **Never logged in**
ip pts/1 192.168.219.147 Thu Jul 21 13:36:58 -0500 2011
PlcmSpIp **Never logged in**
Look at the FROM column, does it contain any WAN IP addresses that look strange to you? That means someone was able to log into your server using the corresponding username.
4. Check the existence of this file [root@pbxtraXXXX ~]# cat .ssh/authorized_keys
If this file is missing, assume the server was compromised.
5. If the server is compromised:
For a trixbox user, recommend a reinstallation of the trixbox from the ISO. You can never gaurantee you've cleaned up everything the hacker left, much safer to start from scratch.
For a PBx user, recommend locking down the firewall FIRST (i.e. close SSH, FTP, TFTP etc. ports) and then the customer will need to purchase a re-imaged harddrive from Fonality. Do NOT simply tell the customer to purchase a harddrive without fixing the security hole first! Otherwise, the new hard drive would just as likely be compromised shortly.
http://help.trixbox.com/Fonality_Employees_Only/Support_Team_%28New%29/Network_Area/Common_Server_Security_Problems
No hay comentarios:
Publicar un comentario