Proxmox Web Security Issue

darmock

PIAF Developer
Joined
Oct 18, 2007
Messages
2,892
Reaction score
98
Ethan I am not quite sure what you are stating/asking?

Ward was simply stating that the dev team has not YET heard from someone, directly, running our distro having been attacked with this particular problem. We are trying to gain more information which about what exactly the exploit is/was. Unfortunately information is kind of sparse and the actual mechanism seems to be unknown. However if you have some knowledge beyond what is floating around various forums (including centos) please enlighten us.

We prefer to work with our own PIAF based systems that have been compromised in a similar fashion. I suppose that some will cry foul that we prefer to work with our own distro and not the others but it is what it is.

Several solutions have been suggested based on anecdotal evidence and we currently have those solutions implemented in alpha testing. We are also going ahead with some other hardening for our distro that has been in long term planning for a while.

Still the question remains how do you test a system that has been hardened with an anecdotal solution in response to an anecdotal problem when you really dont know how the problem occurred originally?

Enjoy


Tom
 

newvoiper

Member
Joined
Nov 20, 2010
Messages
94
Reaction score
25
To temporarily disable Travelin' Man, SSH or log in to your server as root and issue this command:

iptables -D INPUT -p tcp -m tcp --dport 83 -j ACCEPT

To enable Travelin' Man,

iptables -A INPUT -p tcp -m tcp --dport 83 -j ACCEPT

All Travelin' Man entries including either of the above are erased by doing:

service iptables restart

So... for the time being, the secure way to use Travelin' Man would be to disable access as the default (as shown above).

When you need to modify a Travelin' Man IP remote address, SSH into your server, enable Travelin' Man (as shown above), run the Travelin' Man web app to set the new IP address, and then disable Travelin' Man again via SSH (as shown above).

Ward, thank you very much for explaining the safest way to work with travellin' man until more is known!
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Getting Down in the Weeds

Our personal preference is to leave the IPtables setup in place and create a WhiteList of IP addresses on a hardware-based firewall. In this way, you can use a browser to...

1. Add a new IP address (or range(s) of IP addresses) for access to Travelin' Man on TCP port 83
2. Add new IP address (or range(s) of IP addresses) for remote phone on UDP 5060, 10000-20000, and whatever else you need
3. Run the Travelin' Man web app which sets up new white list entries for remote phone in IPtables and Asterisk

The dLink Gaming Routers, for example, let you set up lists of IP addresses including flexible ranges of IPs. You then name them, for example: SanDiegoHotels or BeachHouse.

Now you have 2 layers of WhiteList security and a much more flexible way to manage all of it with just a browser. This also handles hosting providers that use Dynamic DNS. For example, our provider in the mountains changes IP addresses about as often as teenagers take showers. We rarely have to fiddle with the address range now that we figured out the high end and low end IP addresses. Hope this helps.
 

eCase

New Member
Joined
Jan 26, 2011
Messages
161
Reaction score
0
Darmock: "We are trying to gain more information which about what exactly the exploit is/was. Unfortunately information is kind of sparse and the actual mechanism seems to be unknown."

I didn't realize that the exploit itself was not yet discovered, and instead what was known were the results of the exploit.
(Even though Ward clearly stated such in the post)

Sometimes I miss what is right in front of me ;)

:) I still think the fan club idea is golden - just premature at present :)
 

markb1439

New Member
Joined
Jun 8, 2010
Messages
96
Reaction score
0
Disable Web Access

What is the recommendation for a client with multiple operators using Flash Operator Panel 2? They rely on this, which unfortunately is accessed via web.
 

markb1439

New Member
Joined
Jun 8, 2010
Messages
96
Reaction score
0
You can implement a whitelist of safe IP addresses for web access using IPtables or your hardware-based firewall. We will post a HOW-TO shortly.

This will be very helpful.
 

newvoiper

Member
Joined
Nov 20, 2010
Messages
94
Reaction score
25
Thanks for the tip! I will have a look at my Tomato router to see if setting up flexible ranges of IP addresses is supported. That certainly sounds like a good way to add another layer of security without too much inconvenience.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Got a call from Tony last night. Sounds like this may be a vulnerability in Proxmox rather than PIAF. So you might want to (also) lock down your Proxmox server with a WhiteList if it is exposed to the Internet. :idea:
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

Please note that if you are installing iptables on Proxmox, it is not that straight forward, as you have to port forward as well, if you want to allow access, See this post I wrote some time ago for more information.

Joe
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Proxmox now installs with IPtables activated. You'll still need to add the desired rules as explained in Joe's post above. HOWEVER...

We would strongly recommend you NOT enable tcp 80 or 443 in your firewall rules until the current vulnerability has been addressed/resolved.


Instead, you can securely tunnel into the browser interface of Proxmox through SSH like this:

1. Log into Proxmox with SSH using the following command with the public IP address or FQDN of your Proxmox server:

ssh -p 22 -L 8280:localhost:443 root@proxmoxFQDN

2. While still logged in via SSH, use a browser to go to:

https://localhost:8280

3. Log out of SSH when you're finished by typing the following command at the CLI prompt: exit


EVEN SAFER: If you have a hardware-based firewall between Proxmox and your Internet connection, set up a rule to map some random port (e.g. 42111) to TCP port 22 of your Proxmox private IP address, and then substitute that number for 22 in step #1 above.
 

womble1

Guru
Joined
Oct 19, 2008
Messages
632
Reaction score
6
Is there any fix out there yet which will stop this problem without fiddling around with firewalls etc… ?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
If we knew what the problem was, we could offer some suggestions. Until then, the best suggestion is to operate PIAF and Proxmox behind hardware-based firewalls with NO port exposure.
 

iconicflux

Guru
Joined
Apr 18, 2010
Messages
6
Reaction score
0
wanted - hacked system

If anyone here has a hacked system they can create a virtualmachine from and send it to me, I'd very much appreciate it.

I've been too busy lately to really give a look to this; however, it looks like I have some time over the next couple of weeks and I'd like to duplicate this vulnerability.

Thank you,
Kevin Lynn, CISSP, GWAPT
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
It's been very quiet on the security front. I think I finally tracked down the security vulnerability with Proxmox which appears to be the major hole except... this may also be a problem with ANY Linux 64-bit OS. Check your kernel version now: uname -r. 64-bit kernels at or below 2.6.27 are apparently safe as are kernels as of 2.6.34.6 and above... at least for this vulnerability.

If you are using a version of Proxmox with OpenVZ support, then your server IS VULNERABLE if it is exposed to the Internet since there currently is no patched kernel with OpenVZ support. Only the Proxmox 2.6.35 kernel is reportedly safe, and it does not support OpenVZ images.

MORAL: Use Proxmox only behind a secure firewall with a WhiteList for access. If the creeps can get to your web interface to Proxmox, you are dead meat!!!
 

luckman212

Guru
Joined
Jul 7, 2010
Messages
272
Reaction score
0
Thanks Ward! So does this mean those of us who run standalone, non-Virtualized installations of PiaF are "safe" ?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
32-bit systems don't have this particular vulnerability. If you have a 64-bit system, you need to run the test. Our recommendation remains to run PIAF behind a hardware-based firewall with NO PORTS EXPOSED TO THE INTERNET.
 

luckman212

Guru
Joined
Jul 7, 2010
Messages
272
Reaction score
0
Good to know. I only run the 32-bit flavors as I haven't seen any need for 64-bit yet. I expose as few ports as I can but I haven't set up "travelin' man" yet so I do have 5060 open (yikes). I do get a fair amount of hits in Fail2Ban but I use very secure passwords so, hasn't been an issue yet (knock wood). And for some reason I have found that I get 1-way audio from phones that are outside the NAT unless I forward the RTP port range (rtpstart-rtpend) to the LAN IP of the PBX. Not sure why that is, but that's a subject for another thread.
 

ezekielmudd

New Member
Joined
Jan 11, 2009
Messages
20
Reaction score
5
In retrospect, would this slashdot article shed any light on the topic?

Do you think it was an apache vulnerability all this time?

If so, how would I go about upgrading apache?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Chasing down security vulnerabilities is a lot like playing...

Gamebrew-Whack-A-Mole_2.jpg
 

rjm

Guru
Joined
Oct 21, 2007
Messages
475
Reaction score
21
32-bit systems don't have this particular vulnerability. If you have a 64-bit system, you need to run the test. Our recommendation remains to run PIAF behind a hardware-based firewall with NO PORTS EXPOSED TO THE INTERNET.

Which test is that Ward?
 

Members online

No members online now.

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top