wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,170
- Reaction score
- 5,199
In light of recent security issues, we are launching the CYA development project to help identify changes in your Asterisk 11/FreePBX 2.11 setup that may be beyond your control. These changes could be the result of legitimate FreePBX updates or nefarious intrusions of one type or another.
Currently, this app keeps track of /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus dumps of the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database (used by FreePBX and others). We may add some additional web directories as well as some Apache, FreePBX/amportal, and PHP config files as time permits. We're also simplifying the design to make it easier to turn off pieces you no longer wish to monitor. Also on the drawing board: adding periodic checking via cron, SMS or email alerts for detected changes, and off-site (secure) backups of the snapshots in tarball format (cya.tar.gz = ~75MB currently).
INSTALLATION
To install the latest version (0.008), log into your server as root and issue the following commands. After upgrading to a new version, ALWAYS perform Step #1 below.
OPERATION
1. The way the latest version works is you first run /root/protect-your-ASSets.sh. It creates a new /etc/asterisk.snapshot folder (700 root only permissions) which duplicates your current /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database. It also creates MD5 checksums on all existing files and stores the list in /root/protect-your-ASSets.md5. All ownership, permissions, and tree structure are now preserved except for /etc/asterisk.snapshot directory itself which is restricted to root for security.
2. Periodically, you then can run /root/check-your-ASSets.sh which creates a new checksum list based upon the current contents of /etc/asterisk, /var/www/html/admin, /var/lib/asterisk/agi-bin,MySQL's asterisk database, and the new Asterisk DB (astdb.sqlite3). This list is stored in /root/check-your-ASSets.md5. The script then compares the contents of the two checksum files and documents any changes for you to investigate. Read the following post before applying new FreePBX updates!
HINT: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename will tell you specifically what has been changed in any modified file. This is done automatically for the databases, but you'll need to manually do it for any other modified files of concern.
3. When you are satisfied that the changes shown in step #2 are legit, you simply run /root/protect-your-ASSets.sh again to update the snapshot on your server.
NOTE: Should you ever need to restore files from the snapshot to /etc/asterisk or elsewhere, remember to copy the files back into place using cp -p to preserve ownership and permissions.
For the /var/www/html/admin directory tree, use similar commands:
WARNING: Both scripts have the MySQL root password hard-coded as passw0rd. You'll need to manually change it on the Raspberry Pi and BeagleBoneBlack to: raspberry (for both!).
SAMPLE OUTPUT
Here is a sample listing from running check-your-ASSets.sh after changing a couple files and deleting one:
A clean bill of health running check-your-ASSets.sh would look like this:
SUGGESTIONS
Suggestions for additions/improvements are welcomed as well as identification of any bugs. Thanks.
Today on Nerd Vittles...
Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk
Currently, this app keeps track of /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus dumps of the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database (used by FreePBX and others). We may add some additional web directories as well as some Apache, FreePBX/amportal, and PHP config files as time permits. We're also simplifying the design to make it easier to turn off pieces you no longer wish to monitor. Also on the drawing board: adding periodic checking via cron, SMS or email alerts for detected changes, and off-site (secure) backups of the snapshots in tarball format (cya.tar.gz = ~75MB currently).
INSTALLATION
To install the latest version (0.008), log into your server as root and issue the following commands. After upgrading to a new version, ALWAYS perform Step #1 below.
Code:
cd /root
wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
tar zxvf cover-your-Asterisk.tar.gz
rm -f cover-your-Asterisk.tar.gz
OPERATION
1. The way the latest version works is you first run /root/protect-your-ASSets.sh. It creates a new /etc/asterisk.snapshot folder (700 root only permissions) which duplicates your current /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database. It also creates MD5 checksums on all existing files and stores the list in /root/protect-your-ASSets.md5. All ownership, permissions, and tree structure are now preserved except for /etc/asterisk.snapshot directory itself which is restricted to root for security.
2. Periodically, you then can run /root/check-your-ASSets.sh which creates a new checksum list based upon the current contents of /etc/asterisk, /var/www/html/admin, /var/lib/asterisk/agi-bin,MySQL's asterisk database, and the new Asterisk DB (astdb.sqlite3). This list is stored in /root/check-your-ASSets.md5. The script then compares the contents of the two checksum files and documents any changes for you to investigate. Read the following post before applying new FreePBX updates!
HINT: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename will tell you specifically what has been changed in any modified file. This is done automatically for the databases, but you'll need to manually do it for any other modified files of concern.
3. When you are satisfied that the changes shown in step #2 are legit, you simply run /root/protect-your-ASSets.sh again to update the snapshot on your server.
NOTE: Should you ever need to restore files from the snapshot to /etc/asterisk or elsewhere, remember to copy the files back into place using cp -p to preserve ownership and permissions.
Code:
cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
amportal restart
Code:
cp -p /etc/asterisk.snapshot/var/www/html/admin/dirtree/filename /var/www/html/admin/dirtree/filename
WARNING: Both scripts have the MySQL root password hard-coded as passw0rd. You'll need to manually change it on the Raspberry Pi and BeagleBoneBlack to: raspberry (for both!).
SAMPLE OUTPUT
Here is a sample listing from running check-your-ASSets.sh after changing a couple files and deleting one:
Code:
Checksumming current /etc/asterisk files...
Checksumming current /var/www/html/admin directory tree and files...
Checking for new file changes...
MISMATCH: 9cef544d8e7ef96677659b413d29cd38 /etc/asterisk/212.inc
MISMATCH: cc506788b8b5d58365c64a3761729df1 /etc/asterisk/221.inc
MISMATCH: dd7f4b10459818b2aa76c69b2e7dddc1 /etc/asterisk/308.inc
Checking for old file changes...
MISMATCH: 9cef533d8e7ef96677659b413d29cd38 /etc/asterisk/212.inc
MISMATCH: cc506733b8b5d58365c64a3761729df1 /etc/asterisk/221.inc
grep: /etc/asterisk/modules.conf.2.8.0-1.bak: No such file or directory
MISMATCH: 3306a3d98fcdfb61e0ac7ea852d7ee09 /etc/asterisk/modules.conf.2.8.0-1.bak
Processing diff analysis of checksum files...
3c3
< 9cef544d8e7ef96677659b413d29cd38 /etc/asterisk/212.inc
---
> 9cef533d8e7ef96677659b413d29cd38 /etc/asterisk/212.inc
11c11
< cc506788b8b5d58365c64a3761729df1 /etc/asterisk/221.inc
---
> cc506733b8b5d58365c64a3761729df1 /etc/asterisk/221.inc
19,20d18
< dd7f4b10459818b2aa76c69b2e7dddc1 /etc/asterisk/308.inc
<
289a288,289
> 3306a3d98fcdfb61e0ac7ea852d7ee09 /etc/asterisk/modules.conf.2.8.0-1.bak
>
Asterisk DB changes, if any:
MySQL asterisk database changes, if any:
Done.
A clean bill of health running check-your-ASSets.sh would look like this:
Code:
Checksumming current /etc/asterisk files...
Checksumming current /var/www/html/admin directory tree and files...
Checking for new file changes...
Checking for old file changes...
Processing diff analysis of checksum files...
Asterisk DB changes, if any:
MySQL asterisk database changes, if any:
Done.
SUGGESTIONS
Suggestions for additions/improvements are welcomed as well as identification of any bugs. Thanks.
Today on Nerd Vittles...
Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk