Locked doors save money

Richard Case was a serial killer in the 1970’s and he had some odd perspectives, even for a sociopath. His idea was that of a door was locked then he was not welcome. If he tried the door and it was unlocked then it was an invitation. Imagine how many lives were saved because someone remembered to lock their doors. I have never had the misfortune of seeing a $10,000 phone bill. I have read about many cases over the years where Jerry’s tax service and Ethiopian pizzaria was nailed with a huge phone bill from calls to some country they can’t find on a map. So I sat down and started to map out how to automagically stop this sort of thing and wondered why this hadn’t already been done. The first step was to understand the process of compromise. It turns out the process is basically jiggling door knobs. If the door is locked I move on. If the door is unlocked they must want me there. So to stop these events I could write a script that users could setup. Make some assumptions and probably have a 105% success rate including false positives. So I should get on that right? NO! What I found is that the user effort to set up such a script and run it is about equal to the user simply changing the locks. The locks people use are equal to the latch that keeps the door shut. So when I jiggle the door it opens right up. We need people to lock the deadbolt.

Leaving the door unlocked and setting the alarm in hopes someone dials 911 is a poor strategy. If someone does call 911 what’s the response time? How much can be done in that time? Perhaps someone hides in the crawl space so when the ruckus clears they are back in without any alarms.

So here is what you need to do.
Use some common sense.
Set proper passwords on sip accounts and voicemail boxes.
Be different use a 5 or 6 digit pin
Use complex passwords for your endpoints. Use a password generator. Set up your outbound routes properly. Dont leave unrestricted routes. Put limits in place. The more locks you use the less likely shaking the door will cause it to open. Smokey the bear says ‘only you can prevent forest fires’ tango the frog says 'only you can secure your PBX.

Typed out on a mobile device please forgive spurious errors and autocorrect.

Update: found the following list on the intertubes. You should probably create a blocking route to block the following.
242 Bahamas
246 Barbados
264 Anguilla (split from 809)
268 Antigua and Barbuda
284 British Virgin Islands
340 US Virgin Islands: St Thomas, St John
345 Cayman Islands
441 Bermuda
473 Grenada
649 Turks and Caicos Islands
664 Montserrat
670 Northern Mariana Islands
671 Guam
758 St. Lucia
767 Dominica
784 St. Vincent and Grenada
787 Puerto Rico
809 Caribbean, Bermuda, Puerto Rico, Virgin Islands
868 Trinidad and Tobago
869 St. Kitts/Nevis
876 Jamaica
900 Pay_Per_Call Numbers
939 Puerto Rico
976 Pay_Per_Call Numbers

Unless of course you need to call one of these

A lower level action might be to insist on a software firewall on your appliance, and change each and every “well known port” to something else, if your firewall has a “port scanner” lockout mechanism then you are relieved from most persistent/pervasive attacks. To continue to unnecessarily use 22 for ssh and 5060 for sip and have no firewall is a sure fire invitation to disaster, I often wonder why these two simple steps elude everyone else.

Changing ports = Security Theatre

“is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.”

An interesting position to take, please elucidate.

If 99.9%+ voip attempts arrive on UDP port 5060 and you are dropping such connections because you are listening on port 63241, further, 4 or more connections from a single ip on different ports trigger a total dropping of that host, If you are basically invisible then they can’t aim at you, no?

Through the power of bash-fu I can scan all your ports, not trigger your firewall or intrusion detection. Again not sharing the methods but I just scanned all 65K ports on my server and didn’t trip any of the logs and found my port:

Connection to 5060 port [udp/*] succeeded! 

It finds other UDP ports but humans are simple creatures so I can grok them pretty easy…

Perhaps you need a better firewall or at least better filters, being able to bypass conntrack with bash would certainly make you close to a demi-god. :slight_smile:

An iptables setup I start with on any new machine:-

# My system IP/set ip address of server
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow incoming ssh on your non-standard port
iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP --sport 513:65535 --dport 34567 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 34567 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

add restrictive rules as appropriate to allow services you need from hosts that are acceptable, start with:-

netstat -aunt|grep[0-9]

and lsof -i : (the number after the : ), there are often surprising services running on your box that you where not necessarily aware of, and 5038 for example would be a “bad thing” to allow through without reason.

Consider that as a basic “closed viewing room”, and don’t worry about being a theater. Then further limit connections from any host by number, time frame, and uniqueness.

Any firewall is only as good as it’s implementer. CSF does a very fair job of all of that allowing bit, if you just RTF/etc/csf.conf.