Theoretically, yes. Practically, no. There’s no advantage for an attacker to destroy a FreePBX machine. Financially, it’s in their best interest to either steal SIP credentials, or, zombie the machine into a spambot.
I actually accidentally clicked on your profile when I saw the email alert about the reply, and you have ‘security’ in there, so it’s great to have someone ELSE who thinks about this stuff… It’s pretty much just been me driving this.
As a background, most of this discussion has happened in IRC with other people, and discussions at various conferences with other people, so I totally understand that you’re coming in blind. So I’m going to go through some things that we’ve talked about, and (hopefully!) you can poke holes, or offer suggestions about what we’ve done.
So. The entire reasoning behind FreePBX’s Module Signing is to make sure users have a way to be notified if someone has changed a file or tampered with a module. Over the past few years we have seen more and more attacks on FreePBX systems and most of the time the hackers were modifying FreePBX modules and users had no way of knowing something had been modified.
That’s it. That’s all it’s for. That was actually (slightly paraphrased) the introductory paragraph I wrote about GPG when I was pushing for it.
That depends on the aim of the attacker. If their aim is to be stealthy, we want to detect that and make lots of noise. If their aim is not stealthy, then we don’t care, you’re going to notice anyway.
That’s exactly correct. And there’s nothing we can do to stop that, and that is why we turn module signature validation back on whenever framework is updated. That gives us a good compromise with people who don’t have their machine connected to the internet and want to do lots of custom code and NOT sign their code, and people who do have their machine connected to the internet.
So, at worst, a blackhat hacks their machine, removes the alerts before they’re triggered, and then starts adding malicious code. At some point, the owner is going to run an update which updates framework, module signing gets turned on, and immediately all the red flags go up and emails get fired out.
So there’s a window there, and I have no idea how to close that. Suggestions would be welcome
No. I was suggesting that the GPG class check for root owned files as ‘overrides’.
I agree 100%. And no FreePBX admin has to do that. The only people who DO need to do that are people who want to be developers. The same way they need to learn how to use a text editor, understand what regular expressions are, and other things, they should be reading the Development part of the Wiki, which steps them all through this.
That’s not what we want to do. We want to warn people that code has been changed from the original packaging by the author. It doesn’t block, except in one, exceptional, circumstance that we’ve never used (when a developer with a signed key goes rogue, a revoked signature on a key blocks that module from running totally).
On the other hand, If people want to change one line in a file, then change the file. Click on the ‘X’ in the top right hand corner of the alert window, and move on. There’s nothing blocking anything anywhere, and you’ll never see the alert again. But, you’ve seen it ONCE, and that’s the important thing that we’re trying to achieve.
The problem there is ‘How do I stop the attacker from doing that?’, and as you pointed out, we can’t. So that’s why we’ve gone to all this effort to make it as foolproof as possible.
I’m trying not to be a prick here, but I can’t really think of a way to ask this question WITHOUT seeming like a prick. Sorry. But, here it is.
How is a dismissable, one-time alert, that correctly alerts you that files have been modified on your system from what they should be, annoying?