Security Issue!

Dear Freepbx,

Past Weekend I was hacked at a hosted freepbx-distro.
After research I saw the looked in the next file, that is accessable for everybody!!! In this file there is in plain text the ari password and login name.
Am I overlooking something here???
http://[ip-address-PBX]/admin/modules/framework/bin/gen_amp_conf.php

How can I repair this issue, is this file important?

Ragards
Bas

This is not a Distro issue but a FreePBX 2.9 issue and is being looked at. Not sure how getting your ARI username and password could allow them to do anything but the issue is being addressed and someone will comment shortly with more information on this.

Thanx for the fast reaction!
For this pbx, the ari administrator login, was the same as the gui login and password (I know, not smart)

Now I changed all passwords and disabled ARI administrator login.

Also at extensiosn I have set
deny 0.0.0.0/0.0.0.0
permit 192.168.1.10/0.0.0.0

I hope this works if I put 0.0.0.0 as netmask and only filled in the ip adress??

again thanks!

Thanks for the clarification of how they used the ARI creds to hack the system.

We’ve been working on and have checked in a series of fixes for this and other similar modes of attack that we may not be aware of as yet and these will be published shortly. They will go out on 2.10 initially for some testing though some of them will also go out on 2.9 that are easy to confirm and pose minimal risk of bugs.

I must point out though that it’s a bad idea to put any of the PBX on the open internet. It does not mean that that the vulnerabilities are not very real and being taken seriously, but once we fix these eventually some new vulnerability will surface that no one knows about and thus the stress on this point.

Still there are users who want a hosted pbx connected to the internet.
I am writing now a security what to change to make freepbx as safe as possible.
is it usefull if I sent you a copy of this how-to security steps?
Maybe you can add some items where to think of.
Offcourse I understand it still is not wise to expose the pbx to internet.

For example, what I have now.
1- Change ssh port from 22 > 2244
2- Change http listening port from 80 to 8888
3- Set maximum outgoing channels for extensions default from 0 (limmitless) to 1
4- Use different passwords for ssh, webgui, extensions, ari
5- Set fail2ban to ban 1800 seconds to ban 49000 seconds (I noticed they still try after 30 minutes, but not after 12 hours.
6- Permit/Deny ip based
7- Sip allow guests from yes to no (noticing the incoming DID settings)
8- How to block calling to international numbers.

I noticed that hackers use scripts to scan web pages. This can be solved by changing the port I think.
Mostly they also scan for default ssh ports (most of my fail2ban messages)

Let me know if this is a good idea, I will put some work in it to help people save money.

Greets Bas

Pretty sure the netmask in the permit field should be 255.255.255.255 to match only a single address. (0.0.0.0 will match anything)

This is terrible advice. Security by obscurity is not security.

If you can’t afford a firewall install APF and configure it properly. If you are too lazy to use a tunnel via SSH to access FreePBX web then at least only leave SSH open with fail2ban or BFD and use APF to only open port 80 to the IP you want to access from.

So basically you ssh in and then do an apf -a of your ip address.

If you have to open SIP up to the world steps 3 and 7 are good suggestions.

I agree with Skyking, if you have your PBX on the Internet and let’s face it most of us want external extensions, SIP Trunks etc., Put it behind a NAT and firewall it to death, only open SIP and IAX2 ports plus the RTP range and make sure fail2ban is running, I ban for three days when someone trys it on, that seems to make them forget about it.

To access the PBX over the Internet connect to your router on a VPN connection (make sure your password is ultra strong!)and then you can access everything on the PBX as if you are on your private network.

I use Mikrotik routers for this application, they are cheap, its easy to set up a VPN tunnel to them and the Firewall facilities are easy to use.

I am learning a lot from this post.

Now I am further with the security.
I am blocking all country IP’s except the customers country with a IPTables script.
If it is working correctly, I will post it in a bigger security guide.
The nice thing is that remote sip client can login from the within whole country, instead of adding every new ip with 'apf -a [ip]'
Installed APF, working very good! Only adding to much allowed or blocked ip’s makes APF very slow and unstable.
But I see a lot scanners, scanning the http pages (httpd access log).
Also I made root ssh login not accept. made a seperate user for ssh and then login to root privileges with ‘su -’

Like to hear more advices.
Thanx in advance!

I have read all the comments and maybe I missed something here, but didn’t 4 say his PBX was hosted? How would someone do a firewall for a hosted PBX? The suggestions you guys are giving for security is primised based right?

What do you do when you use services like Rent-A-PBX who gives you a static IP address to your box? What I’m noticing is more and more users are doing these hosted solutions or they want a PBX installed but don’t want outside vendor tohave VPN access to there network.

So I think 4 has some pretty good tips for when your forced to use public IP.
I’m by far no guru, but a work in progress so don’t scream at me for asking.

Run the firewall on the hosted server. iptables should work.

iptables is hard to manage. Take a look at the Advanced Policy Firewall. Download, untar and run the install script and you have a fully functioning stateful firewall.

Works like a champ.

On the Mikrotik routers it is simple to set up several pptp servers and to put in firewall rules to only permit access to nominated LAN ip’s on any particular server tunnel and to drop connections to any other ip’s on the LAN.

This would enable third parties to connect to the PBX through a nominated tunnel for maintenance but not to be able to connect to other ip’s on the LAN while a different server tunnel could have different access rules for your own use.

Configuring iptables is very, very easy, and there is no excuse for not using it if you have your PBX in the internet.

http://wiki.centos.org/HowTos/Network/IPTables

Someone used this url to steal our trunk credentials 2 weeks ago and used them to login to our voip provider causing over a $1000 in call charges for December. Please fix this asap!

I have a question: Can I safely delete this admin/modules/framework/bin directory from the webroot or at least the file gen_amp_conf.php?

For now I found also a very simple easy way to allow only one country for your pbxgui access.
Hacker are almost alway’s from countrie’s as Korea, China, Poland, Kazaghstan, etc
Now through a simple .htaccess file in de htm directory you can simply block all except you native country.
What do you think about this extra way of security?

Greets and happy newyear

The security issues with this have been addressed and published more thoroughly in 2.10, an updated framework for 2.9 has some of the fixes that should help with this issue.

Updated framework on my 2.9 freepbx iso distro… now I get internal server error when I go to the admin page.

The httpd error log says -

[Thu Jan 05 15:10:10 2012] [error] [client 192.168.1.101] PHP Fatal error: Call to undefined function fpbx_framework_autoloader() in /var/www/html/admin/bootstrap.php on line 158, referer: http://192.168.1.20/admin/config.php [Thu Jan 05 15:10:15 2012] [error] [client 192.168.1.101] PHP Fatal error: Call to undefined function fpbx_framework_autoloader() in /var/www/html/admin/bootstrap.php on line 158

I commented out the offending line 158 and I can get in the admin web page again…

For the sake of completeness…

[[email protected] asterisk]# cat /etc/asterisk/freepbxdistro-version
1.87.29.55-2

oops … new framework published.

You may need to use the CLI version of module_admin in order to get that downloaded.

Updated. I was able to use the web module admin by commenting out that one line.

Thanks!