What Noah is posting about is correct. SMTP is listening on 127.0.0.1.
However, if you use SSH port redirection, from an outside host you can
forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested
this with a development 4.6 server we have, from a system completely
off-network:
ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25
After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and
send mail. I would consider that to be a pretty large security flaw, as
every sipx server out there that has SSH Password logins allowed to the
world can be used as spam relays.
Regards,
Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email [email protected] or call 707-703-1050
On 11/16/12 3:17 PM, Tony Graziano wrote:
can you provide the output of: lsof -i | grep LISTEN
and post what SMTP is listening to?
On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl <[email protected]
<mailto:[email protected]>> wrote:
This is my problem:
You are arguing with me when you don't understand how SSH port
forwarding works.
In the exploit I've illustrated, the port is tunneled via SSH.
Then on the remote machine (the sipxecs server) the traffic
originates as LOCALHOST. That's why it's a OOTB security flaw.
I have not made changes to the smtp config.
~Noah
On Nov 16, 2012, at 6:02 PM, "Tony Graziano"
<[email protected]
<mailto:[email protected]>> wrote:
There is that too. I keep bringing it up but he skips over it.
In a default sipx installation, the output shows:
sendmail TCP localhost.localdomain:smtp (LISTEN)
and there are no other entries related to SMTP. So again,
something is different here than in all the others (remember that
kids game?). Why is your installation different? Why is SMTP open
to begin with? Why is SMTP open on your system and noone else's?
I still don't agree with your assessment. It is the way your
firewall and/or sendmail is configured to begin with that is not
consistent with the way the system is used. Security is the
admin's and certainly port SSH forward can be turned off and the
user can be denied. I don't think it very helpful to make changes
to secure a system if someone keeps opening holes or changing
smtp configs and then opening another case that the system is not
secure enough... I'm just saying. You still have neglected to
explain why SMTP is open from waaaayyyy back in this thread.
Realize the developers list are some of the same people here (I
won't dissuade you from posting to it to that list, or opening a
JIRA) but realize it can be discussed and decided there is no
problem and a change is not warranted, only an implementation
decision gone awry. On the other hand, if enough people agree
those are two things that can be done by default "in the event
someone decides to open SMTP". I'm not a fortune teller.
I think it took a lot of your time to find it and to bring it up,
and I think its worthy of consideration though.
On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl
<[email protected] <mailto:[email protected]>> wrote:
Hey! FINALLY, I got some information that's actually
usefully to me!!! Where is the JIRA link where I can post a
bug? Is there a different mailing list for Sipxecs dev?
No, my argument is that two users are created by the SipXecs
install: PlcmSIp and lvp2890. These user have passwords set
in the /etc/shadow from the install script.
I do not believe that this is a Redhat/Centos problem,
because they DO NOT ship system users with passwords in
/etc/shadow. Or any user with a password in /etc/shadow
except for the password one sets for root during install, and
the password for the first user during install.
Since SipXecs install creates these users, and thereby
creates the security issue, part of the user creation should
deny those users access to ssh in the sshd_config. That's
the only part of this scenario that isn't secure. I will be
happy to submit a bug, etc...
As it happens, I'm not the first person to be hacked because
of this:
http://www.mail-archive.com/[email protected]/msg04471.html
And it's highly likely that many people have been bitten by
this, and no one knew what the cause was.
This serves as a warning to ALL SipXecs 4.4.x users:
1. If you have SipXecs 4.4.x
2. You still have the PlcmSIp and lvp2890 users, with
unchanged password (which you would by default, not knowing
they had been added to your server)
3. Anyone has SSH port access to the server
4. Then you are wide open
I don't care how one solves the issue, we have 3 solutions so
far:
1. Disable or heavily restrict all ssh access to the machine
2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config
3. AllowTcpForwarding no in /etc/ssh/sshd_config
I prefer method 2 because I don't want to remove a useful
tool in my arsenal (ssh port forwarding), and I don't want to
change the default passwords (because of provision stock
phones). But I HIGHLY suggest everyone takes a quick look at
their settings, because I bet a lot of people are susceptible
to this. Thanks.
~Noah
On Nov 16, 2012, at 5:37 PM, Tony Graziano
<[email protected]
<mailto:[email protected]>>
wrote:
You do realize the other side of this argument is that SSH
forwarding is enabled by default on Redhat/Centos and that
since you have SSH available to the public at large it also
makes this an effective use of your system.
I think the place for you to ask for a change is submitting
a JIRA and posting a link on the users and dev groups so
people can comment and/or vote for this change...
add in /etc/ssh/sshd_config by default:
AllowTcpForwarding no
DenyUsers PlcmSpIp
On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl
<[email protected] <mailto:[email protected]>> wrote:
Shall I make a screencast to explain?
~Noah
On Nov 16, 2012, at 5:20 PM, Noah Mehl
<[email protected] <mailto:[email protected]>>
wrote:
Gerald.
That's the security hole. I AM ABLE TO CONNECT TO THE
LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH
remotely using the default user/pass of PlcmSIp,
utilizing ssh port forwarding.
~Noah
On Nov 16, 2012, at 5:17 PM, Gerald Drouillard
<[email protected]
<mailto:[email protected]>> wrote:
On 11/16/2012 1:57 PM, Noah Mehl wrote:
Does nobody on the list know what SSH port forwarding
is? I am running the first two commands from a
remote machine (connecting to the sipxecs machine) in
separate terminals to forward my local 25 port to the
sipxecs box, and the 25 port on the sipxecs box
locally. The third command is run locally on the
remote machine. This exploit gives the remote
machine access to port 25 on the SipXecs box even if
all other ports are blocked. This could be used for
any port that is blocked by firewall, ids, etc, if
the remote machine has ssh access to the sipxecs box.
~Noah
Do you understand that if your sipx smtp server is
only running on localhost that you will not be able to
connect to it via telnet/ssh/whatever?
--
Regards
--------------------------------------
Gerald Drouillard
Technology Architect
Drouillard & Associates, Inc.
http://www.Drouillard.biz <http://www.drouillard.biz/>
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive:
http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive:
http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: [email protected]
<mailto:[email protected]>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~
Using or developing for sipXecs from SIPFoundry? Ask me
about sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: [email protected]
<mailto:[email protected]>
Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net/>
Blog: http://blog.myitdepartment.net
<http://blog.myitdepartment.net/>
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: [email protected]
<mailto:[email protected]>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~
Using or developing for sipXecs from SIPFoundry? Ask me about
sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: [email protected]
<mailto:[email protected]>
Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net>
Blog: http://blog.myitdepartment.net
_______________________________________________
sipx-users mailing list
[email protected]
<mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected] <mailto:[email protected]>
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: [email protected]
<mailto:[email protected]>
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~
Using or developing for sipXecs from SIPFoundry? Ask me about
sipX-CoLab 2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: [email protected]
<mailto:[email protected]>
Helpdesk Customers: http://myhelp.myitdepartment.net
<http://myhelp.myitdepartment.net>
Blog: http://blog.myitdepartment.net
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users/
