There is that too. I keep bringing it up but he skips over it. In a default sipx installation, the output shows:
sendmail TCP localhost.localdomain:smtp (LISTEN) and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?). Why is your installation different? Why is SMTP open to begin with? Why is SMTP open on your system and noone else's? I still don't agree with your assessment. It is the way your firewall and/or sendmail is configured to begin with that is not consistent with the way the system is used. Security is the admin's and certainly port SSH forward can be turned off and the user can be denied. I don't think it very helpful to make changes to secure a system if someone keeps opening holes or changing smtp configs and then opening another case that the system is not secure enough... I'm just saying. You still have neglected to explain why SMTP is open from waaaayyyy back in this thread. Realize the developers list are some of the same people here (I won't dissuade you from posting to it to that list, or opening a JIRA) but realize it can be discussed and decided there is no problem and a change is not warranted, only an implementation decision gone awry. On the other hand, if enough people agree those are two things that can be done by default "in the event someone decides to open SMTP". I'm not a fortune teller. I think it took a lot of your time to find it and to bring it up, and I think its worthy of consideration though. On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl <[email protected]> wrote: > Hey! FINALLY, I got some information that's actually usefully to me!!! > Where is the JIRA link where I can post a bug? Is there a different > mailing list for Sipxecs dev? > > No, my argument is that two users are created by the SipXecs install: > PlcmSIp and lvp2890. These user have passwords set in the /etc/shadow from > the install script. > > I do not believe that this is a Redhat/Centos problem, because they DO > NOT ship system users with passwords in /etc/shadow. Or any user with a > password in /etc/shadow except for the password one sets for root during > install, and the password for the first user during install. > > Since SipXecs install creates these users, and thereby creates the > security issue, part of the user creation should deny those users access to > ssh in the sshd_config. That's the only part of this scenario that isn't > secure. I will be happy to submit a bug, etc... > > As it happens, I'm not the first person to be hacked because of this: > http://www.mail-archive.com/[email protected]/msg04471.html And > it's highly likely that many people have been bitten by this, and no > one knew what the cause was. > > This serves as a warning to ALL SipXecs 4.4.x users: > > 1. If you have SipXecs 4.4.x > 2. You still have the PlcmSIp and lvp2890 users, with unchanged password > (which you would by default, not knowing they had been added to your server) > 3. Anyone has SSH port access to the server > 4. Then you are wide open > > I don't care how one solves the issue, we have 3 solutions so far: > > 1. Disable or heavily restrict all ssh access to the machine > 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config > 3. AllowTcpForwarding no in /etc/ssh/sshd_config > > I prefer method 2 because I don't want to remove a useful tool in my > arsenal (ssh port forwarding), and I don't want to change the default > passwords (because of provision stock phones). But I HIGHLY suggest > everyone takes a quick look at their settings, because I bet a lot of > people are susceptible to this. Thanks. > > ~Noah > > On Nov 16, 2012, at 5:37 PM, Tony Graziano <[email protected] > > > wrote: > > You do realize the other side of this argument is that SSH forwarding is > enabled by default on Redhat/Centos and that since you have SSH available > to the public at large it also makes this an effective use of your system. > > I think the place for you to ask for a change is submitting a JIRA and > posting a link on the users and dev groups so people can comment and/or > vote for this change... > > add in /etc/ssh/sshd_config by default: > > AllowTcpForwarding no > DenyUsers PlcmSpIp > > > > > On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl <[email protected]> wrote: > >> Shall I make a screencast to explain? >> >> ~Noah >> >> On Nov 16, 2012, at 5:20 PM, Noah Mehl <[email protected]> wrote: >> >> Gerald. >> >> That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP >> SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass >> of PlcmSIp, utilizing ssh port forwarding. >> >> ~Noah >> >> On Nov 16, 2012, at 5:17 PM, Gerald Drouillard <[email protected]> >> wrote: >> >> On 11/16/2012 1:57 PM, Noah Mehl wrote: >> >> Does nobody on the list know what SSH port forwarding is? I am running >> the first two commands from a remote machine (connecting to the sipxecs >> machine) in separate terminals to forward my local 25 port to the sipxecs >> box, and the 25 port on the sipxecs box locally. The third command is run >> locally on the remote machine. This exploit gives the remote machine >> access to port 25 on the SipXecs box even if all other ports are blocked. >> This could be used for any port that is blocked by firewall, ids, etc, if >> the remote machine has ssh access to the sipxecs box. >> >> ~Noah >> >> Do you understand that if your sipx smtp server is only running on >> localhost that you will not be able to connect to it via >> telnet/ssh/whatever? >> >> >> -- >> Regards >> -------------------------------------- >> Gerald Drouillard >> Technology Architect >> Drouillard & Associates, Inc.http://www.Drouillard.biz >> <http://www.drouillard.biz/> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> >> >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
