Security Issues

AllStarLink
1

Hi Loren,

I guess you are running your Allstar node on a Virtual server, I do the same and have found bouts of activity from Chinese IP Addresses and other countries. Mostly SIP attempts, but also SSH.

If you do not use SIP then unload it and set your IPTABLES to block that port.

As for the SSH, this is will probably not be a targeted attack more that they are targeting the block of IP Addresses yours is in. If you have specific IP Addresses you connect to then you can lock connections to those IP’s, plus install the fail2ban as mentioned and ensure there is a secure password and you should be ok. You could also enable PORTKNOCKING http://en.wikipedia.org/wiki/Port_knocking

As for the 3101702 connection, is that no an Echolink node?

http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs

Hope that helps.

Jon

2E0RFU

···

Jon Byrne
email@jonbyrne.com

On 25 September 2014 08:43, Ken Boyle ken@kc2idb.net wrote:

You could also install fail2ban. By default it allows three failed password attempts. Than temporarily bans the IP address.

On Sep 24, 2014 10:43 PM, Doug Crompton doug@crompton.com wrote:

I assume you have the linux box behind a router? If so why would you have sip even routed to your linux box if you are not using it? Routers make good firewalls. The only thing you should have routed is 4569 (udp) and 222 (tcp) neither have to be routed. 4569 would only need to be routed if you wanted to accept incoming connections. Outgoing would work fine without it. 222 would only be needed for administration.

From what you are saying you obviously must not have a front-end (router firewall etc.) on your system . It sounds like you are just hanging on the raw Internet!! Some people go the easy route and put thhings in the DMZ of their routers which does open them up to the world. I went into an Allstar system this week to help with setup and I immediately knew it was on the DMZ. In the Asterisk client I was getting sip messages left and right. I unloaded the sip module and they went away. Not the right way to do it though as it should not be on dmz to begin with. Simply not having a sip.conf file does not prevent sip traffic!!!

Assuming you have a router there should be no need to disable sip as it is never going to get to your box unless you port forward it there. It would be a good idea thought to not load the code for it if you are not using it. A noload=chan_sip.so in modules.conf would take care of that.

Most good routers also allow you to specify specific or blocks of IP addresses to disallow. If there is a specific foreign block, say in China you can identify you could probably block it.

So the bottom line is you could make your linux system tottally unavailable to the outside world by just not forwarding any ports. The downside is no one could connect to you (sometimes desirable) and you could not remotely administer your system.

73 Doug

WA3DSP

http://www.crompton.com/hamradio

Date: Wed, 24 Sep 2014 20:52:22 -0500

From: lorentedford@gmail.com

To: app_rpt-users@ohnosec.org

Subject: [App_rpt-users] Security Issues

Hey its Loren here again…

Was curious what everyone found was the most substantial security risk with a Acid installation connected too two repeaters… The sip.conf was deleted from the asterisks folder… Noticed a strange node connection that didn’t match all stars normal node numbers 3101702 also found some thing with x.allstarlink.org in it anybody know what this is?? Anyway my linode server has been under constant attack from China they keep wanting to ssh into the server we had to drastically beef up things on the server such as changing the whole root user issue and moving to another port number etc… Any thoughts ideas did i just become victum of a Sip attack too besides 19 ddos attacks this week already and over a million failed ssh attempts into my person linode server…

Loren Tedford (KC9ZHV)

Email: lorentedford@gmail.com

http://www.lorentedford.com

http://www.Ltcraft.net

http://www.richlandcountycomputers.com

http://kc9zhv.lorentedford.com

_______________________________________________ App_rpt-users mailing list App_rpt-users@ohnosec.org http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button” You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users mailing list

App_rpt-users@ohnosec.org

http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users and scroll down to the bottom of the page. Enter your email address and press the “Unsubscribe or edit options button”

You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

2

I guess I’m worried about some of the ‘security’ comments being
shared here… First of all, if there is a service that is not used,
it should be disabled. Firewall or no firewall… It’s somewhat like
locking the doors of your car, but leaving the convertible top
down… Second, while fail2ban would stop the potential ‘hacker’
from potentially reaching the service or application itself, the
incoming packet/ frame still has to be processed to find out if it
should be banned, dropped or allowed… So a DoS or DDos attack is
not squelched…

A couple of things to recommend is that you use some sort of

two-factor authentication on your SSH users. Google auth is free and
works well… Find yourself a password generator and make strong
passwords (like 32 characters)… Disable any service that is not
critical for the operation of the intended use… I recommend all of
these, and best of all, ALL of this can be done for FREE!
Installation and setup can readily be found online…

-Joe

KA3NAM
···

On 9/25/2014 9:06 AM, Jon Byrne wrote:

      Hi

Loren,

      I guess you are running your Allstar node on a Virtual server,

I do the same and have found bouts of activity from Chinese IP
Addresses and other countries. Mostly SIP attempts, but also
SSH.

      If

you do not use SIP then unload it and set your IPTABLES to
block that port.

      As

for the SSH, this is will probably not be a targeted attack
more that they are targeting the block of IP Addresses yours
is in. If you have specific IP Addresses you connect to then
you can lock connections to those IP’s, plus install the
fail2ban as mentioned and ensure there is a secure password
and you should be ok. You could also enable PORTKNOCKING http://en.wikipedia.org/wiki/Port_knocking

      As

for the 3101702 connection, is that no an Echolink node?

      [http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs](http://ns2.s13avahost.net/repeaters/echolink/node_status.php?node=CX4BBH#sthash.n00kxN55.32DNtjrl.dpbs)

      Hope

that helps.

      Jon

2E0RFU

      Jon Byrne

      email@jonbyrne.com

On 25 September 2014 08:43, Ken Boyle ken@kc2idb.net
wrote:

        You could

also install fail2ban. By default it allows three failed
password attempts. Than temporarily bans the IP address.

            On Sep 24, 2014 10:43 PM, Doug Crompton <doug@crompton.com                >

wrote:

            >

            > I assume you have the linux box behind a router? If

so why would you have sip even routed to your linux box
if you are not using it? Routers make good firewalls.
The only thing you should have routed is 4569 (udp) and
222 (tcp) � neither have to be routed.� 4569 would only
need to be routed if you wanted to accept incoming
connections. Outgoing would work fine without it. 222
would only be needed for administration.

            >

            > From what you are saying you obviously must not

have a front-end (router firewall etc.) on your system .
It sounds like you are just hanging on the raw
Internet!! Some people go the easy route and put thhings
in the DMZ of their routers which does open them up to
the world. I went into an Allstar system this week to
help with setup and I immediately knew it was on the
DMZ. In the Asterisk client I was getting sip messages
left and right. I unloaded the sip module and they went
away. Not the right way to do it though as it should not
be on dmz to begin with. Simply not having a sip.conf
file does not prevent sip traffic!!!

            >

            > Assuming you have a router there should be no need

to disable sip as it is never going to get to your box
unless you port forward it there. It would be a good
idea thought to not load the code for it if you are not
using it. A noload=chan_sip.so � in modules.conf would
take care of that.

            >

            > Most good routers also allow you to specify

specific or blocks of IP addresses to disallow. If there
is a specific foreign block, say in China you can
identify you could probably block it.

            >

            > So the bottom line is you could make your linux

system tottally unavailable to the outside world by just
not forwarding any ports. The downside is no one could
connect to you (sometimes desirable) and you could not
remotely administer your system. �

            >

            >

            > 73 Doug

            > WA3DSP

            > [http://www.crompton.com/hamradio](http://www.crompton.com/hamradio)

            >

            >

            > ________________________________

            > Date: Wed, 24 Sep 2014 20:52:22 -0500

            > From: lorentedford@gmail.com

            > To: app_rpt-users@ohnosec.org

            > Subject: [App_rpt-users] Security Issues

            >

            > Hey its Loren here again...

            >

            > Was curious what everyone found was the most

substantial security risk with a Acid installation
connected too two repeaters… The sip.conf was deleted
from the asterisks folder…� Noticed a strange node
connection that didn�t match all stars normal node
numbers 3101702 also found some thing with x.allstarlink.org in it anybody
know what this is?? Anyway my linode server has been
under constant attack from China they keep wanting to
ssh into the server we had to drastically beef up things
on the server such as changing the whole root user issue
and moving to another port number etc… Any thoughts
ideas did i just become victum of a Sip attack too
besides 19 ddos attacks this week already and over a
million failed ssh attempts into my person linode
server…

            >

            >

            > Loren Tedford (KC9ZHV)�

            > Email:�lorentedford@gmail.com

            >

            > [http://www.lorentedford.com](http://www.lorentedford.com)

            > [http://www.Ltcraft.net](http://www.Ltcraft.net)

            > [http://www.richlandcountycomputers.com](http://www.richlandcountycomputers.com)

            > [http://kc9zhv.lorentedford.com](http://kc9zhv.lorentedford.com)

            >

            >

            > _______________________________________________

App_rpt-users mailing list App_rpt-users@ohnosec.org
http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
To unsubscribe from this list please visit http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
and scroll down to the bottom of the page. Enter your
email address and press the “Unsubscribe or edit options
button” You do not need a password to unsubscribe, you
can do it via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem.

            _______________________________________________

            App_rpt-users mailing list

            App_rpt-users@ohnosec.org

            [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)



            To unsubscribe from this list please visit [http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users](http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users)
            and scroll down to the bottom of the page. Enter your

email address and press the “Unsubscribe or edit options
button”

            You do not need a password to unsubscribe, you can do it

via email confirmation. If you have trouble
unsubscribing, please send a message to the list
detailing the problem.




_______________________________________________
App_rpt-users mailing list
To unsubscribe from this list please visit and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem.

App_rpt-users@ohnosec.orghttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-usershttp://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users

3

And of course, simple things like:

Don’t allow the root user to login via ssh. Hey, doing the su/sudo thing from a different login account doesn’t take all the much time.

Change the ssh port to something oddball. I’ve even stopped using 222 as it’s somewhat common.

When setting a password, if it tells you it’s in the dictionary, use something else. No matter how “cool” or “easy” it is.

At the very least, close off ALL the normal SIP ports. If you MUST use SIP for some god forsaken reason, move it to oddball ports.

Consider moving your IAX port to something non-standard.

Even with a router with appropriate security, I’ve considered putting up an RPi as a site SSH gateway. So that the Asterisk boxes are only exposed to the outside world on the IAX port. Forward whatever port I’m using for SSH to the RPi, log into it, and from there to the other machines at the site. Might even be a convenient place to run AllMon…

Why do I say all this… I violated all of those suggestions due to over confidence, and laziness. It took them several years, but they got in. At first “all” they did was disable cron, and later remove it. Further on, they changed the root password. Still not sure what they were up to. They did nothing to Asterisk. When building the new machine, I took better precautions.

In the long view… it’s kind of like what a cop told us when he came to investigate a break in at our club site years ago.

"You can’t keep them out. So do all you can to slow them down…

Robert A. Poff
Loganville, PA.

1983 Hunter 34

Havre de Grace, MD

“Lieutenant, target the offending power boat and launch photon torpedoes”