Postfix security vulnerability?

I wanted to raise awareness from an experience I had yesterday. I am running vanilla, up-to-date, fpbx distro on my phone server. Our network became unexplainably unreliable, with connections dropping out, and all ssl ports not working properly. I switched my router, and that worked for about 20 minutes, then the same thing happened.

Long story short, turns out the phone server had over 2000 active connections through postfix (smtp port) from various US college ip addresses. I can only guess they were using the machine to send massive amounts of spam.

Because I do not utilize any mail functions for this setup, I quickly “Yum removed” postfix and the amount of connections reported by netstat dropped to about 10.

I wanted to bring this to everyone’s attention. I do not consider myself a security expert but I would guess neither do many other people using a pre-built software package.

Do you have a specific vulnerability that you can point to as we are using the latest Postfix from Centos. Are you sure you just werent hacked. It would seem more like you were hacked. What ports on your PBX do you have opened to the outside world.

This is exactly what anyone would expect if you put a server on the Internet without any security.

In 100’s if not 1000’s of posts are advice to not put your system on a public IP without a firewall and knowing exactly what you are doing. You are still exposing 100’s and vulnerable services.

Why do you need your PBX connected directly to the Internet.

I need it to connect to the internet to reach the voip trunks - is there an easy way to lock down the setup so it can only do this and nothing else?

Is your PBX behind a firewall with only the ports you need opened or is it wide open to the whole world.

My router has a firewall but the NAT functions and associated crap screwed up the transmission to and fro the trunk so the gentleman at flowroute instructed me to turn off the offending router services.

OK well you need your PBX to sit behind a firewall or you will be hacked over and over.

How do I ensure the firewall does not interfere with VOIP communications? Is there some sort of how-to guide out there?

I can’t think of a subject that is more discussed than NAT and VoIP.

If you are not a networking expert I think the key to success is choosing a firewall/router that other folks have had success with and configuring is well documents.

Personally the Juniper SSG’s and Cisco ASA’s work very well. Both give you a simple way to setup site to site VPN’s if you need them.

Also, you need a static IP. It’s very difficult to secure with a dynamic IP.

I’m set with the static IP so that is all set. Is there anything designed for a smaller operation out there - don’t want to spend thousands of dollars if it is not needed.

Also can you point me in the right direction of these discussions? Many thanks for your expertise!

Those devices are not $1000. Both are under $400 new.

I see Juniper SSG’s on eBay for $150.

Just because you have a small budget does not mean you have to buy junk.

Thank you for your help. They say us Linux folks lack charm - were proving em wrong one post at a time!

Laughing, I have been called many things but never charming!

Thanks

The FreePBX Distro has a great firewall built right in. It takes all of 20 minutes to configure.

http://wiki.centos.org/HowTos/Network/IPTables