Steve Totaro wrote: > > > On Thu, Feb 12, 2009 at 8:53 PM, BJ Weschke <[email protected] > <mailto:[email protected]>> wrote: > > Trixter aka Bret McDanel wrote: > > On Thu, 2009-02-12 at 17:08 -0500, Jared Geiger wrote: > > > >> I saw multiple attacks from OVH.NET <http://OVH.NET> IP > addresses over the last few > >> weeks as well. I have used a few of the tips in this article to > secure > >> PBXs before as well http://nerdvittles.com/?p=580 > >> (fail2ban/IPTables). > >> > >> For switchvox the root account seems to have a key, not a > password to > >> login. You can always boot in single user mode, create a new > user and > >> add that user to the sudoers file then disable root from being > able to > >> login via ssh.conf. > >> > >> > > First let me say I have never used switchvox, but if its linux based > > then the following should apply. > > > > can you not just get a shell? If you can you shouldnt have to > boot into > > single user mode unless they are doing chattr stuff to only allow > > editing of the password file on a secure runlevel, and this is > rare that > > its done. > > > > /etc/passwd, /etc/shadow, /etc/group, /etc/sudoers are all just text > > files and its easy to append a line for new users to those > files, just > > as its easy to use the useradd/adduser programs to add users. > sshd.conf > > is also a text file which requires sshd to restart to take > effect but > > this usually does not drop connections already in process. This > can be > > as simple as /etc/init.d/sshd restart or something similar. > > > > > > > >> You should be able to then setup IPTables on Switchvox as well > after > >> going in and creating the second account. > >> > >> > > > > the problem is that you would need it to know to use sudo if it > doesnt, > > I do not know if its smart enough to say "you arent root so let > me sudo > > this command". > > > > > > > All valid points, but don't forget what the whole objective of > Switchvox is. While you might very well be able to do what you're > suggesting above, you might also be voiding warranty/support when > you also inadvertently but effectively lock out the Switchvox > folks from being able to support you. If you never want support or > interaction from Switchvox again, this might be a viable solution > for you, but I don't get the impression that most people that buy > Switchvox in the first place are looking for a "disconnected" > relationship from them after the initial purchase. > > If Switchvox is recommending that you put their appliance behind > a firewall and you choose not to, then that's like a plumber > installing a shower and not caulking the gap between the floor and > the wall when the manual has suggested that you do so. It may take > a while for the water leaking through to develop into black mold, > rot out the wood behind it, and other nice things like that, but > it's probably only a matter of time before it actually happens. > > > BJ > > -- > Bird's The Word Technologies, Inc. > http://www.btwtech.com/ > > > Huh, what is this propaganda? Black mold by locking down a Linux > system? I call BS. > > First, SwitchVox will not connect to your box unless you get past the > gatekeepers, AKA "Level 1 Techs Who Answer the Phone" who will keep > you jumping though hoops for week or even months. Flatly telling you > that they "cannot access your box, they do not have the password". > > Besides that, if your box is firewalled, then you have to grant them > access, that is if they grant you the favor to really support their > product.... > > If you do get past the gatekeepers, then you are probably pretty tired > of SwitchVox by now and you have been suffering for weeks with a > crippled mission critical system. > > During this hell hole of back and forth "Support", you have plenty of > time to do a SwitchVox backup and then re-install via installation > media, upgrade, and finally restore your backup. > > I think is more of a brushoff of "Unsupported" configurations, which > means you are to blame if don''t head the warnings. > > 1. Charge for support > 2. Don't provide suppot > 3. Profit > > I think most experienced *nix administrators can handle their own > IPTables, OpenVPN, and whatever else. > I think maybe you misread my post. I don't think it's propaganda at all. Switchvox, apparently, instructs you to put their device behind a firewall. If you don't, then just like doing a poor plumbing job, you're a prime candidate for "leaks" and things that come with "leaks" down the line.
With regard to your post, "I think most experienced *nix administrators can handle their own IPTables, OpenVPN, and whatever else.". Yes. I totally agree, but as someone already raised the point, how many of the authorized SwitchVox resellers actually have "experienced *nix administrators" on staff? I sincerely doubt that's one of their requirements to become a reseller, and while I do understand it, I think to not have at least one of those types of people on staff with those types of skills *should* be a requirement for a good reseller. -- Bird's The Word Technologies, Inc. http://www.btwtech.com/ _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
