Matt, Thanks for the comments. These are all great!
~Noah On Nov 17, 2012, at 6:29 AM, [email protected] wrote: > Good catch Noah, thank you for reporting it. I agree it's important to > address this even if your sipx box is behind a firewall. Good network admins > will only allow smtp out from specific internal hosts as to restrict where > mail destined for the wan can come from. sipx would likely be allowed to mail > the wan side to deliver voicemail email, so that puts it at risk for both > public and private network attack. > > For users wanting to check if you've been exploited I'd suggest running (as > root or preceding with sudo) "lastlog -u PlcmSpIp" or "lastlog -u lvp2890". > As suggested earlier applying "DenyUsers PlcmSpIp lvp2890" or inversely > "AllowUsers <trusted users separated with spaces>" to /etc/ssh/sshd_config > and restarting sshd is necessary to plug the hole. > > Beware that iptables is disabled by default in v4.4 so I recommend running > sshd on a non-standard port if you need to leave it disabled. If you do want > to use iptables and want to restrict who can use ssh from the outside, add to > /etc/sysconfig/iptables something like : > > -A INPUT -s <trusted IP or dyndns fqdn> -p tcp --dport 22 -j ACCEPT > > (see http://wiki.sipfoundry.org/display/sipXecs/Firewall+Configuration for > more you'll need) > > Alternatively you could use tcp wrappers by appending "sshd: <trusted IP>" to > /etc/hosts.allow and then adding "sshd: ALL" in /etc/hosts.deny. fail2ban or > denyhosts would also help tremendously. I prefer DenyHosts because it has the > online database feature. > > Installing logwatch and OSSEC are also very good ideas to catch things like > this if you're vigilant about reading the email reports. I've been running > OSSEC clients with active response enabled on production sipx 4.4 for a long > time without issues. > > ________________________________________ > From: [email protected] > [[email protected]] On Behalf Of Noah Mehl > [[email protected]] > Sent: Friday, November 16, 2012 9:15 PM > To: Discussion list for users of sipXecs software > Subject: Re: [sipx-users] Hacked SipXecs 4.4 > > Tony, > > You know what? I think everyone is clear on YOUR opinion on the matter. > > In MY opinion, this is a serious bug. I have created a Jira story: > > http://track.sipfoundry.org/browse/XX-10529 > > Next time, I would appreciate constructive comments instead of: "This is only > a problem for you... You must be doing something wrong… You're not setting > a firewall/ids up correctly…." I know I am not the only person who thinks > this is a serious issue. > > ~Noah > > > On Nov 16, 2012, at 7:30 PM, Tony Graziano > <[email protected]<mailto:[email protected]>> wrote: > > > That is with ssh open or available from the outside. > > I still suggest a JIRA... > > On Nov 16, 2012 6:41 PM, "Noah Mehl" > <[email protected]<mailto:[email protected]>> wrote: > I would also like to mention: > > This works for any port, including SIP. There might be huge amounts of SIP > piracy across peoples servers. > > ~Noah > > On Nov 16, 2012, at 6:27 PM, Alan Worstell > <[email protected]<mailto:[email protected]>> wrote: > > What Noah is posting about is correct. SMTP is listening on 127.0.0.1. > However, if you use SSH port redirection, from an outside host you can > forward your remote 127.0.0.1:25<http://127.0.0.1:25/> to your own > 127.0.0.1:25<http://127.0.0.1:25/>. I just tested this with a development 4.6 > server we have, from a system completely off-network: > ssh -vN PlcmSpIp@{IP_OF_SIPX_SERVER} -L 25:127.0.0.1:25<http://127.0.0.1:25/> > After entering the password PlcmSpIp, I could telnet 127.0.0.1 25 and send > mail. I would consider that to be a pretty large security flaw, as every sipx > server out there that has SSH Password logins allowed to the world can be > used as spam relays. > > Regards, > > Alan Worstell > A1 Networks - Systems Administrator > VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS > (707)570-2021 x204 > For support issues please email > [email protected]<mailto:[email protected]> or call 707-703-1050 > > On 11/16/12 3:17 PM, Tony Graziano wrote: > can you provide the output of: lsof -i | grep LISTEN > > and post what SMTP is listening to? > > > > On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl > <[email protected]<mailto:[email protected]>> wrote: > This is my problem: > > You are arguing with me when you don't understand how SSH port forwarding > works. > > In the exploit I've illustrated, the port is tunneled via SSH. Then on the > remote machine (the sipxecs server) the traffic originates as LOCALHOST. > That's why it's a OOTB security flaw. > > I have not made changes to the smtp config. > > ~Noah > > On Nov 16, 2012, at 6:02 PM, "Tony Graziano" > <[email protected]<mailto:[email protected]>> wrote: > > There is that too. I keep bringing it up but he skips over it. > > In a default sipx installation, the output shows: > > sendmail TCP localhost.localdomain:smtp (LISTEN) > > and there are no other entries related to SMTP. So again, something is > different here than in all the others (remember that kids game?). Why is your > installation different? Why is SMTP open to begin with? Why is SMTP open on > your system and noone else's? > > I still don't agree with your assessment. It is the way your firewall and/or > sendmail is configured to begin with that is not consistent with the way the > system is used. Security is the admin's and certainly port SSH forward can be > turned off and the user can be denied. I don't think it very helpful to make > changes to secure a system if someone keeps opening holes or changing smtp > configs and then opening another case that the system is not secure enough... > I'm just saying. You still have neglected to explain why SMTP is open from > waaaayyyy back in this thread. > > Realize the developers list are some of the same people here (I won't > dissuade you from posting to it to that list, or opening a JIRA) but realize > it can be discussed and decided there is no problem and a change is not > warranted, only an implementation decision gone awry. On the other hand, if > enough people agree those are two things that can be done by default "in the > event someone decides to open SMTP". I'm not a fortune teller. > > I think it took a lot of your time to find it and to bring it up, and I think > its worthy of consideration though. > > On Fri, Nov 16, 2012 at 5:50 PM, Noah Mehl > <[email protected]<mailto:[email protected]>> wrote: > Hey! FINALLY, I got some information that's actually usefully to me!!! Where > is the JIRA link where I can post a bug? Is there a different mailing list > for Sipxecs dev? > > No, my argument is that two users are created by the SipXecs install: PlcmSIp > and lvp2890. These user have passwords set in the /etc/shadow from the > install script. > > I do not believe that this is a Redhat/Centos problem, because they DO NOT > ship system users with passwords in /etc/shadow. Or any user with a password > in /etc/shadow except for the password one sets for root during install, and > the password for the first user during install. > > Since SipXecs install creates these users, and thereby creates the security > issue, part of the user creation should deny those users access to ssh in the > sshd_config. That's the only part of this scenario that isn't secure. I > will be happy to submit a bug, etc... > > As it happens, I'm not the first person to be hacked because of this: > http://www.mail-archive.com/[email protected]/msg04471.html And > it's highly likely that many people have been bitten by this, and no one knew > what the cause was. > > This serves as a warning to ALL SipXecs 4.4.x users: > > 1. If you have SipXecs 4.4.x > 2. You still have the PlcmSIp and lvp2890 users, with unchanged password > (which you would by default, not knowing they had been added to your server) > 3. Anyone has SSH port access to the server > 4. Then you are wide open > > I don't care how one solves the issue, we have 3 solutions so far: > > 1. Disable or heavily restrict all ssh access to the machine > 2. DenyUsers PlcmSIp lvp2890 in /etc/ssh/sshd_config > 3. AllowTcpForwarding no in /etc/ssh/sshd_config > > I prefer method 2 because I don't want to remove a useful tool in my arsenal > (ssh port forwarding), and I don't want to change the default passwords > (because of provision stock phones). But I HIGHLY suggest everyone takes a > quick look at their settings, because I bet a lot of people are susceptible > to this. Thanks. > > ~Noah > > On Nov 16, 2012, at 5:37 PM, Tony Graziano > <[email protected]<mailto:[email protected]>> > wrote: > > You do realize the other side of this argument is that SSH forwarding is > enabled by default on Redhat/Centos and that since you have SSH available to > the public at large it also makes this an effective use of your system. > > I think the place for you to ask for a change is submitting a JIRA and > posting a link on the users and dev groups so people can comment and/or vote > for this change... > > add in /etc/ssh/sshd_config by default: > > AllowTcpForwarding no > DenyUsers PlcmSpIp > > > > > On Fri, Nov 16, 2012 at 5:24 PM, Noah Mehl > <[email protected]<mailto:[email protected]>> wrote: > Shall I make a screencast to explain? > > ~Noah > > On Nov 16, 2012, at 5:20 PM, Noah Mehl > <[email protected]<mailto:[email protected]>> wrote: > > Gerald. > > That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON > THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, > utilizing ssh port forwarding. > > ~Noah > > On Nov 16, 2012, at 5:17 PM, Gerald Drouillard > <[email protected]<mailto:[email protected]>> wrote: > > On 11/16/2012 1:57 PM, Noah Mehl wrote: > Does nobody on the list know what SSH port forwarding is? I am running the > first two commands from a remote machine (connecting to the sipxecs machine) > in separate terminals to forward my local 25 port to the sipxecs box, and the > 25 port on the sipxecs box locally. The third command is run locally on the > remote machine. This exploit gives the remote machine access to port 25 on > the SipXecs box even if all other ports are blocked. This could be used for > any port that is blocked by firewall, ids, etc, if the remote machine has ssh > access to the sipxecs box. > > ~Noah > Do you understand that if your sipx smtp server is only running on localhost > that you will not be able to connect to it via telnet/ssh/whatever? > > > > -- > Regards > -------------------------------------- > Gerald Drouillard > Technology Architect > Drouillard & Associates, Inc. > http://www.Drouillard.biz<http://www.drouillard.biz/> > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: > [email protected]<mailto:[email protected]> > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: > [email protected]<mailto:[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/> > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: > [email protected]<mailto:[email protected]> > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: > [email protected]<mailto:[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/> > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: > [email protected]<mailto:[email protected]> > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! > [http://www.ezuce.com/image/image_gallery?uuid=61c95dd3-a26d-4363-95b1-131231e1edf0&groupId=284283&t=1340112036507%22+style=%22width:+310px;+height:+310px;]<http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: > [email protected]<mailto:[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/> > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: > [email protected]<mailto:[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.net<http://myhelp.myitdepartment.net/> > Blog: http://blog.myitdepartment.net<http://blog.myitdepartment.net/> > _______________________________________________ > sipx-users mailing list > [email protected]<mailto:[email protected]> > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ Scanned for viruses and content by the Tranet Spam Sentinel service. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
