Note: This thread has been updated with an official response from Sangoma Technologies, Inc.
This could only potentially affect you if your “organization has one or more deployments where you previously provided Sangoma with either SSH or Web GUI credentials, so that our support team would have easier access to your systems, when you request our help in future support calls”
It has nothing to do with commercial module purchases nor commercial module usage.
If you bought a commercial module from Sangoma/Schmooze there is nothing we store to get in to the system the module is purchased from/for. The only information this response is in response to is the information listed in the statement linked to above.
- Sangoma Technologies, Inc
I’m still not in a position to go and swap the honeypot out, but I can have a look at the sshd logs.
I can see a few random brute force attempts from many places before, but a dead straight successful login from 95.211.188.23, single shot.
Apr 10 10:40:32 tvv_phonebox sshd[14924]: Connection closed by 195.154.112.244
Apr 10 15:22:22 tvv_phonebox sshd[32643]: Connection closed by 95.215.60.170
Apr 10 22:32:01 tvv_phonebox sshd[26583]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=176.109.60.33 user=root
Apr 10 22:32:04 tvv_phonebox sshd[26583]: Failed password for root from 176.109.60.33 port 45923 ssh2
Apr 10 22:32:07 tvv_phonebox sshd[26583]: Failed password for root from 176.109.60.33 port 45923 ssh2
Apr 11 03:36:47 tvv_phonebox sshd[13026]: Invalid user koeda from 95.215.60.170
Apr 11 03:36:47 tvv_phonebox sshd[13027]: input_userauth_request: invalid user koeda
Apr 11 03:36:47 tvv_phonebox sshd[13026]: pam_unix(sshd:auth): check pass; user unknown
Apr 11 03:36:47 tvv_phonebox sshd[13026]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95.215.60.170
Apr 11 03:36:47 tvv_phonebox sshd[13026]: pam_succeed_if(sshd:auth): error retrieving information about user koeda
Apr 11 03:36:48 tvv_phonebox sshd[13026]: Failed password for invalid user koeda from 95.215.60.170 port 47168 ssh2
Apr 11 03:36:48 tvv_phonebox sshd[13026]: pam_unix(sshd:auth): check pass; user unknown
Apr 11 03:36:48 tvv_phonebox sshd[13026]: pam_succeed_if(sshd:auth): error retrieving information about user koeda
Apr 11 03:36:50 tvv_phonebox sshd[13026]: Failed password for invalid user koeda from 95.215.60.170 port 47168 ssh2
Apr 11 11:49:16 tvv_phonebox sshd[11586]: Accepted password for root from 82.15.208.171 port 30728 ssh2
Apr 11 11:49:16 tvv_phonebox sshd[11586]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 11 11:59:06 tvv_phonebox sshd[11586]: pam_unix(sshd:session): session closed for user root
Apr 11 13:48:27 tvv_phonebox sshd[19795]: Did not receive identification string from 64.64.117.63
Apr 11 14:17:44 tvv_phonebox sshd[21682]: Invalid user node from 95.215.60.170
Apr 11 14:17:44 tvv_phonebox sshd[21683]: input_userauth_request: invalid user node
Apr 11 14:17:44 tvv_phonebox sshd[21682]: pam_unix(sshd:auth): check pass; user unknown
Apr 11 14:17:44 tvv_phonebox sshd[21682]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95.215.60.170
Apr 11 14:17:44 tvv_phonebox sshd[21682]: pam_succeed_if(sshd:auth): error retrieving information about user node
Apr 11 14:17:46 tvv_phonebox sshd[21682]: Failed password for invalid user node from 95.215.60.170 port 54187 ssh2
Apr 12 01:07:14 tvv_phonebox sshd[29247]: Invalid user adam from 95.215.60.170
Apr 12 01:07:14 tvv_phonebox sshd[29248]: input_userauth_request: invalid user adam
Apr 12 01:07:14 tvv_phonebox sshd[29247]: pam_unix(sshd:auth): check pass; user unknown
Apr 12 01:07:14 tvv_phonebox sshd[29247]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=95.215.60.170
Apr 12 01:07:14 tvv_phonebox sshd[29247]: pam_succeed_if(sshd:auth): error retrieving information about user adam
Apr 12 01:07:15 tvv_phonebox sshd[29247]: Failed password for invalid user adam from 95.215.60.170 port 57588 ssh2
Apr 12 01:07:16 tvv_phonebox sshd[29247]: pam_unix(sshd:auth): check pass; user unknown
Apr 12 01:07:16 tvv_phonebox sshd[29247]: pam_succeed_if(sshd:auth): error retrieving information about user adam
Apr 12 01:07:17 tvv_phonebox sshd[29247]: Failed password for invalid user adam from 95.215.60.170 port 57588 ssh2
Apr 15 04:21:08 tvv_phonebox sshd[16323]: Accepted password for root from 95.211.188.23 port 63274 ssh2
Apr 15 04:21:08 tvv_phonebox sshd[16323]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 15 04:28:07 tvv_phonebox sshd[16323]: Received disconnect from 95.211.188.23: 11: disconnected by user
Apr 15 04:28:07 tvv_phonebox sshd[16323]: pam_unix(sshd:session): session closed for user root
Apr 15 04:21:08 tvv_phonebox sshd[16323]: Accepted password for root from 95.211.188.23 port 63274 ssh2
Apr 15 04:21:08 tvv_phonebox sshd[16323]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 15 04:28:07 tvv_phonebox sshd[16323]: Received disconnect from 95.211.188.23: 11: disconnected by user
Apr 15 04:28:07 tvv_phonebox sshd[16323]: pam_unix(sshd:session): session closed for user root
The only places where that password is stored are my head and the Sangoma Portal, in the Deployments. 
Removing all passwords from them as I write.
BTW, none of these login attempts were caught by fail2ban.
I think it’s the __prefix_line parameter in the regex in filter.d/sshd.conf that’s wrong, because there are at least two of the regex that should have caught entries in the security log.
DISCLAIMER
I’m not saying there’s been a security breach on the portal. Not for a single second. But if the others who got hacked did the same, it might be a common clue to see where that’s coming from.