Smokey the bear says only you can prevent security breaches


(TheJames) #1

The only way to be secure is to incinerate your server and put the remains in a mix of molten unobtainium. Even then it is a maybe at best.

It is rare that I see a original compromise post. In fact security researchers over the last few years have done well with responsible disclosure. That means in general a software release is put out typically a few weeks before the actual exploit. Most security issues in a perfect world can be prevented through simply updating.

I saw a post where code signing did it’s job. People slam it because they feel it pointless. Well like any other measure it IS pointless until it isn’t.

Unfortunately most issues come from something a code signature can’t catch and that is humans. Many issues are simply a matter of human error and bad configuration.

  1. Does your PBX need to be on the public network (internet)? In most cases the answer is no. Removing direct internet access to your PBX will go a long way. With VPN’s and other technologies the answer to this is almost ALWAYS no.

  2. Does your PBX need to be on the general intranet? Many threats are actually internal. Some employee decides to play with your PBX it doesn’t matter how far it is disconnected from the normal internet. Many internal threats are worse than external threats.

  3. Passwords. Are your passwords appropriately secure. Most sip passwords never need to be typed by a human so they should be obnoxous. This includes trunks, endpoints etc. If your SIP passwords don’t feel like nuclear launch codes FIX THEM!

  4. This is not something you can fix in FreePBX but for providers your sip username should be alphanumeric. In FreePBX your sip username will always be numeric so it is even more important to use a strong password. An attacker scanning your extensions will probably know your extension range is between 100 and 9999 for FreePBX.

  5. Voicemail: Don’t use the extension, 1234, 1111, 0000 as a voicemail pin.

  6. Set up intrusion detection and have it send meaningful notifications.

Lets tl;dr this. Keep updated, use good passwords, keep your pbx isolated from your LAN and the internet whenever possible (spoiler alert, it is always possible).

If you don’t know how to do any of this please learn or hire someone.


(Moussa) #2

This is true for both users and Sangoma. SSH to your FreePBX and run:
rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n'

Then,
Go to https://vulners.com/audit and paste your output. There are many outdated packages.


(TheJames) #3

My dev server needed 195 updates just to test this… Before I get beat up that is a sandbox in a vm and isn’t exposed to any internet or intranet :slight_smile:
That is really cool.


(TheJames) #4

Another reason to keep your servers isolated from intranet/internet whenever practical.