PIONEERS Cover-Your-Asterisk

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
In light of recent security issues, we are launching the CYA development project to help identify changes in your Asterisk 11/FreePBX 2.11 setup that may be beyond your control. These changes could be the result of legitimate FreePBX updates or nefarious intrusions of one type or another.

Currently, this app keeps track of /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus dumps of the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database (used by FreePBX and others). We may add some additional web directories as well as some Apache, FreePBX/amportal, and PHP config files as time permits. We're also simplifying the design to make it easier to turn off pieces you no longer wish to monitor. Also on the drawing board: adding periodic checking via cron, SMS or email alerts for detected changes, and off-site (secure) backups of the snapshots in tarball format (cya.tar.gz = ~75MB currently).

INSTALLATION

To install the latest version (0.008), log into your server as root and issue the following commands. After upgrading to a new version, ALWAYS perform Step #1 below.
Code:
cd /root
wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
tar zxvf cover-your-Asterisk.tar.gz
rm -f cover-your-Asterisk.tar.gz

OPERATION

1. The way the latest version works is you first run /root/protect-your-ASSets.sh. It creates a new /etc/asterisk.snapshot folder (700 root only permissions) which duplicates your current /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database. It also creates MD5 checksums on all existing files and stores the list in /root/protect-your-ASSets.md5. All ownership, permissions, and tree structure are now preserved except for /etc/asterisk.snapshot directory itself which is restricted to root for security.

2. Periodically, you then can run /root/check-your-ASSets.sh which creates a new checksum list based upon the current contents of /etc/asterisk, /var/www/html/admin, /var/lib/asterisk/agi-bin,MySQL's asterisk database, and the new Asterisk DB (astdb.sqlite3). This list is stored in /root/check-your-ASSets.md5. The script then compares the contents of the two checksum files and documents any changes for you to investigate. Read the following post before applying new FreePBX updates!

HINT: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename will tell you specifically what has been changed in any modified file. This is done automatically for the databases, but you'll need to manually do it for any other modified files of concern.

3. When you are satisfied that the changes shown in step #2 are legit, you simply run /root/protect-your-ASSets.sh again to update the snapshot on your server.

NOTE: Should you ever need to restore files from the snapshot to /etc/asterisk or elsewhere, remember to copy the files back into place using cp -p to preserve ownership and permissions.
Code:
cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
amportal restart
For the /var/www/html/admin directory tree, use similar commands:
Code:
cp -p /etc/asterisk.snapshot/var/www/html/admin/dirtree/filename /var/www/html/admin/dirtree/filename

WARNING: Both scripts have the MySQL root password hard-coded as passw0rd. You'll need to manually change it on the Raspberry Pi and BeagleBoneBlack to: raspberry (for both!).

SAMPLE OUTPUT

Here is a sample listing from running check-your-ASSets.sh after changing a couple files and deleting one:
Code:
Checksumming current /etc/asterisk files...
Checksumming current /var/www/html/admin directory tree and files...
Checking for new file changes...
MISMATCH: 9cef544d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
MISMATCH: cc506788b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
MISMATCH: dd7f4b10459818b2aa76c69b2e7dddc1  /etc/asterisk/308.inc
Checking for old file changes...
MISMATCH: 9cef533d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
MISMATCH: cc506733b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
grep: /etc/asterisk/modules.conf.2.8.0-1.bak: No such file or directory
MISMATCH: 3306a3d98fcdfb61e0ac7ea852d7ee09  /etc/asterisk/modules.conf.2.8.0-1.bak
Processing diff analysis of checksum files...
3c3
< 9cef544d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
---
> 9cef533d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
11c11
< cc506788b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
---
> cc506733b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
19,20d18
< dd7f4b10459818b2aa76c69b2e7dddc1  /etc/asterisk/308.inc
<
289a288,289
> 3306a3d98fcdfb61e0ac7ea852d7ee09  /etc/asterisk/modules.conf.2.8.0-1.bak
>
Asterisk DB changes, if any:
MySQL asterisk database changes, if any:
Done.

A clean bill of health running check-your-ASSets.sh would look like this:
Code:
Checksumming current /etc/asterisk files...
Checksumming current /var/www/html/admin directory tree and files...
Checking for new file changes...
Checking for old file changes...
Processing diff analysis of checksum files...
Asterisk DB changes, if any:
MySQL asterisk database changes, if any:
Done.

SUGGESTIONS

Suggestions for additions/improvements are welcomed as well as identification of any bugs. Thanks.

Today on Nerd Vittles...

Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
This will require a change in discipline obviously. What we would recommend is to run check-your-ASSets.sh before and after making changes in FreePBX. On most production systems, these are not daily occurrences. The time to run the scripts is less than 10 seconds so it's not overly burdensome. Once you're sure that updates did what you expected, you can refresh the snapshot by rerunning protect-your-ASSets.sh.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
p.s. Obviously, imparting the wisdom of what should change and what was actually changed would be desirable. We're still thinking about that. Suggestions are more than welcome. One of my concerns with WebMin is all of the under-the-covers stuff that goes on. This obviously applies with FreePBX as well. Documentation goes a long way toward eliminating anxiety, but we also appreciate the costs and time constraints.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Anything ARI could change would obviously warrant a careful look sniff. :001 9898:

Version .002 (and above) now adds Asterisk DB protection to the equation for Asterisk 11 and beyond.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Version 0.005 adds a dump of MySQL's asterisk database to the collection. This covers all of the FreePBX stuff stored in MySQL except for CDR logs.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Version 0.007 reworks the directory structure for /etc/asterisk.snapshot to exactly match where the snapshot files came from. For example, you'll find /etc/asterisk snapshot in /etc/asterisk.snapshot/etc/asterisk. All ownership and permissions in the snapshot now are identical to their source with the exception of the main /etc/asterisk.snapshot directory itself. It is only accessible by root. This keeps everyone other than root out of the entire snapshot directory tree without damaging any of the permissions of the individual files and folders. This in turn simplifies restoration using cp -p which will preserve ownership and permissions of individual files and directories in the snapshot. It also gets things better organized for future additions.

See the first post for some major changes in future direction.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Version 0.008 adds /var/lib/asterisk/agi-bin to the collection.
 

Members online

Forum statistics

Threads
25,782
Messages
167,513
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top