As Andrew from Anteli have mentioned there is no way to access switchvox via SSH only web gui! and there is no way to read a logs as well. So we are stock Digium can't help us! they just simply said just use a CD to reinstall the system! how f...@cking nice tech support.
On Sun, Feb 8, 2009 at 10:19 AM, Andrew M. Lauppe <[email protected]>wrote: > I'm not standing up for SwitchVOX but I would point out that, on that > platform, the root password is both unknown/undocumented, and there is no > way to activate it for end-user access short of booting from a recovery CD > and using single-user mode or chroot and running passwd. > > In other words, SSH is useless on that platform so this machine had to be > hacked some other way. Also - with no shell access, there is no access to > the apache or asterisk logs, and no way to install fail2ban. If you're > running switchvox, you *NEED *to put it behind a firewall with logging. > > If you need help securing switchvox, or building a firewall with proper > logging support, let us know. Anteil is happy to help. > > Andy > > [image: Anteil, Inc.] <http://www.anteil.com> > ------------------------------ > *Andrew M. Lauppe > * *Consultant* > > 4051B Executive Park Dr. > Harrisburg, PA 17111 > ------------------------------ > +1 (877) OS-LINUX x23 > +1 (484) 421-9919 direct > > > [email protected] wrote: > > On Sat, 2009-02-07 at 21:54 -0500, Alex Balashov wrote: > > > Agreed strongly. > > 1) For one, it sounds like you allowed remote root logins directly via > SSH via password. Many people seem to do this for convenience. This is > VERY BAD and should NEVER, EVER be allowed under any circumstances. > Only password access to user accounts should be permitted 100% of the time. > > 2) Secondly, SSH should really not be open to the public at all. With > some hosts, that just can't be helped (public access boxes). For a PBX, > there is absolutely no reason why SSH should be open to anyone but you. > > My SSH on all servers is firewalled to everyone in the world and I can > only get in through an OpenVPN management VPN. If for some reason that > fails or I am on a host that doesn't have a client, there are a few IPs > that are allowed in as a back door. That's it. > > > > Having the ssh server at the default port and accepting password > authentication its a security problem waiting to happen. > Looking at firewall logs you can see that the ssh port is scanned > routinely and brute force attacks happen all the time. > If you need to have ssh access open, move it a another port,disable > password auth and use only publickey auth. > Also as I see more and more companies implementing a strict "no incoming > ports open" policy (which is good), an option is to have a reverse ssh > tunnel.http://skoroneos.blogspot.com/2009/01/doing-reverse-ssh-tunnel-embedded-way.html > > > I have implemented this in our embedded asterisk distro and now works > with the dialplan also. > i.e you trigger the connection from inside by dialing a number > > > There are other ways too, including port knocking. > > For SIP bruteforce attack, I use fail2ban to monitor the logs and firewall > any attacks,in addition to having strong passwords and long sip user ids. > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz > > > _______________________________________________ > --Bandwidth and Colocation Provided by http://www.api-digital.com-- > > asterisk-biz mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-biz >
<<Anteil_email.jpg>>
_______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
