Hall of Shame

These hackers are low-lives who waist their life stealing and cheating others and gain absolutely nothing from it, and are running away from the government their entire life.

What's the best way to secure the extension passwords besides having them randomly generated, and in a situation where VPN and IP filter can't really be used? Many of us face these types of issues.

I also read about two years ago in a PC World magazine that people have been able to hack into VoIP conversations and listen in- and since there is no way out of this unless you have a VPN between your box and your voip proxy's box, everyone is vulnerable

By the way, for those reading this post, one way to secure extensions while port 5060 is opened due to VoIP provider requirements is to go to each extension that is on the same network as the trixbox, and change nat=yes to nat=never
This will forbid anyone outside the trixbox network to register this extension.

Chris, I couldn't agree more with what you stated.

Just a comment, however, until asterisk 1.6 and sip over tcp with TLS is released, isn't there that "brute force" program that many hackers use? I know nothing at all about it, and it may only be linux related (to gain root access). But if it technically works with everything, can't hackers gain access with this method? Or am I just being paranoid and these things only happen once every few years when super strong passwords are used?

Also, I know that with http and ftp, passwords are sent in plain texts and hackers can gain control. Does this apply to SIP as well? If so, is there any other way for the meantime to add security to the asterisk boxes?

Chris, the fail2ban sounds like a good program for asterisk. I will definitely test this out. Thanks for the info!
I hope it also works for IAX2 and root by the way. And it would be great if certain IPs can be overridden so that there wont be problems if I accidentally type the wrong password when trying to link two trixboxes together, or whatever the case may be.

16again,

Sorry, I forgot to mention using SRTP (Secure Realtime Transfer Protocol) for encrypting the audio portion of the call, between SIPS and SRTP the conversation should be protected (since the RTP secret is exchanged via SIP, which is now encrypted...)

ja133,

You should be able to setup fail2ban to monitor just about anything in asterisk, as well as your other services. I actually use apf/bfd using Engineer Tim's guide, for the basics, including root, ssh, and other stuff, and then fail2ban for monitoring asterisk. It's probably overkill by far, but lets me sleep well at night. Engineer Tim wrote up a guid on securiing trixbox CE (can't find the link right now) and I used the wiki here:

http://www.voipinfo.org/wiki/index.php?page_id=5348

to setup fail2ban. It's works like a champ.

-Chris

One for the list

74.208.8.5 this ip has tried 100s of times.

Thanks for all the hard work of everyone that helped bring fail2ban to the community - this is a HUGELY important tool for securing the boxes against the bastard Crackers!

Greg

To point out that you can distribute a list of IPs to other apf/bfd machines. I have a list http://engineertim.com/engineertim-bfd.txt that I distribute to my other hosts over http. This list is almost all IPs that tried to brute force over SSH. In apf you can add a URL to the confi.apf file and apf is setup to reload the rules every 10 minutes. So as soon as a system attacks or I add a ip address, then it gets auto distributed to the rest of my hosts, not just my trixbox installs. This is my own personal list of shame. This list in the link is just a example, do not link to it.

Thank you,
Engineer Tim

I am no longer a representative of trixbox and my opinions are expressed as my own. In other words...I have free will again.
http://engineertim.com

Can you please provide the references that you personally used to install fail2ban? I would like to install it but I want to install it the correct way.

I also hope that this blends in with iptables.

TDF: "Why overcomplicate it making lists and banning IPs forever when most of these IPs are proxies, dynamic IPs or compromised machines, and are only a threat temporarily. The only list you need is the one fail2ban makes for itself after the third attempt, set it and forget it."

Couldn't agree more. Fail2Ban 0.8.3 is an incredibly versatile product that, when combined with good passwords and an iptables firewall, provides a very secure computing environment.

I am NOT doing a very good job of pitching the use of APF and BFD so here goes one last time. APF does way more than just firewalling. Here is some of the features it does from the website ( http://rfxnetworks.com/apf.php )
: Summary of features:
- detailed and well commented configuration file
- granular inbound and outbound network filtering
- user id based outbound network filtering
- application based network filtering
- trust based rule files with an optional advanced syntax
- global trust system where rules can be downloaded from a central management server
- reactive address blocking (RAB), next generation in-line intrusion prevention
- debug mode provided for testing new features and configuration setups
- fast load feature that allows for 1000+ rules to load in under 1 second
- inbound and outbound network interfaces can be independently configured
- global tcp/udp port & icmp type filtering with multiple methods of executing filters (drop, reject, prohibit)
- configurable policies for each ip on the system with convenience variables to import settings
- packet flow rate limiting that prevents abuse on the most widely abused protocol, icmp
- prerouting and postrouting rules for optimal network performance
- dshield.org block list support to ban networks exhibiting suspicious activity
- spamhaus Don't Route Or Peer List support to ban known "hijacked zombie" IP blocks
- any number of additional interfaces may be configured as firewalled (untrusted) or trusted (not firewalled)
- additional firewalled interfaces can have there own unique firewall policies applied
- intelligent route verification to prevent embarrassing configuration errors
- advanced packet sanity checks to make sure traffic coming and going meets the strictest of standards
- filter attacks such as fragmented UDP, port zero floods, stuffed routing, arp poisoning and more
- configurable type of service options to dictate the priority of different types of network traffic
- intelligent default settings to meet every day server setups
- dynamic configuration of your servers local DNS revolvers into the firewall
- optional filtering of common p2p applications
- optional filtering of private & reserved IP address space
- optional implicit blocks of the ident service
- configurable connection tracking settings to scale the firewall to the size of your network
- configurable kernel hooks (ties) to harden the system further to syn-flood attacks & routing abuses
- advanced network control such as explicit congestion notification and overflow control
- special chains that are aware of the state of FTP DATA and SSH connections to prevent client side issues
- control over the rate of logged events, want only 30 filter events a minute? 300 a minute? - you are the boss
- logging subsystem that allows for logging data to user space programs or standard syslog files
- logging that details every rule added and a comprehensive set of error checks to prevent config errors
- if you are familiar with netfilter you can create your own rules in any of the policy files
- pluggable and ready advanced use of QoS algorithms provided by the Linux
- 3rd party add-on projects that compliment APF features

Now, to install it is so simple a cave man can do it. There are no additional libraries nothing except the tar file is needed, and IPTABLES of course. It does QoS, and TONS AND TONS more right out of the box. Adding BFD to the combination just makes this the perfect product for this type of thing. If I can't get at least one person to try this then I am going to scream.

TDF,
I don't get your post. It is not a simple problem. Just having passwords that are unbreakable is not the solution, security by obscurity? If you have someone trying to make 100's if not 1000's of connection attempts to your server for login attempts then there is going to be a problem even if they don't get in. Not only that but blocking these people and keeping track of the ip's is very very important. Who cares if they are on a proxy and can switch their ip, block the whole CIDR. I don't get where everyone thinks a ounce of prevention is not worth it. I would rather not have anyone attempting to login to my ports at all and then only open certain ranges like a real firewall should. I can do this with APF easily. But to say that blocking it for a few hours or days is ample, I feel this is wrong.

By building a database of known proxies, relays, etc.. you add a layer of protection that you can take out of the realm of possibility. Hell, I would love to know all of the open proxies that are out there. I would block them all. I know my customers don't use them to connect to my phone systems. It is called preventative maintenance and I hope everyone understands what I am talking about. If you don't have the luxury of having a high end firewall device that can do what really needs to be done, then you can at least make yourself a little more protected by pre-blocking any ip address that are known to be a issue in the wild.

God, I really hope that came out clear and concise. It is very important to me to get these IP addresses so they can be blocked before they even get a chance to see my server.

Thank you,
Engineer Tim
I am no longer a representative of trixbox and my opinions are expressed as my own. In other words...I have free will again.
http://engineertim.com

I just posted TDF's modified Fail2Ban Install Guide. You can view it at

http://www.necits.com/misc/fail2ban.html
http://www.necits.com/misc/fail2ban.pdf

Engineer Tim,

Like I said in an earlier post, I think the apf/bfd is great, I use it to do the heavy lifting on my system, I just run fail2ban ALSO (they both co-exist peacefully on the same system). I personally used your "securing trixbox CE" guide to get the brunt of my tweaks done. So don't go pulling your hair out, your message has been heard loud and clear (at least by me!). I think the combination of the RBL's for apf and the dynamic blocking by fail2ban are the perfect combination. I could probably simplify the install by modifying bfd to monitor my asterisk logs, but I haven't had the chance to play with that yet.

-Chris

apf caught a couple more last night. 204.10.104.89 which is tied to AccelerateBiz Inc. & Dakmart, & 84.126.212.155 in Spain.

When I can trace an attack back to real companies such as those posing as a VoIP provider they get their whole subnet permanently banned at the firewall for all services. One of last night's attackers has earned that distinction alongside a slowly growing list of rogue networks.

Stupid question, but with fail2ban should we add an exception to the IP addresses that our voip providers use? Please explain why or why not.

Voip providers such as Bandwidth.com send incoming calls directly to your static IP, therefore not requiring a trunk registration. That's what I am trying to ask you here.