1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

Proxmox Web Security Issue

Discussion in 'Today's Tech News & Events' started by wardmundy, Aug 11, 2011.

  1. darmock PIAF Developer

    Ethan I am not quite sure what you are stating/asking?

    Ward was simply stating that the dev team has not YET heard from someone, directly, running our distro having been attacked with this particular problem. We are trying to gain more information which about what exactly the exploit is/was. Unfortunately information is kind of sparse and the actual mechanism seems to be unknown. However if you have some knowledge beyond what is floating around various forums (including centos) please enlighten us.

    We prefer to work with our own PIAF based systems that have been compromised in a similar fashion. I suppose that some will cry foul that we prefer to work with our own distro and not the others but it is what it is.

    Several solutions have been suggested based on anecdotal evidence and we currently have those solutions implemented in alpha testing. We are also going ahead with some other hardening for our distro that has been in long term planning for a while.

    Still the question remains how do you test a system that has been hardened with an anecdotal solution in response to an anecdotal problem when you really dont know how the problem occurred originally?

    Enjoy


    Tom
  2. newvoiper New Member

    Ward, thank you very much for explaining the safest way to work with travellin' man until more is known!
  3. wardmundy Nerd Uno

    Getting Down in the Weeds

    Our personal preference is to leave the IPtables setup in place and create a WhiteList of IP addresses on a hardware-based firewall. In this way, you can use a browser to...

    1. Add a new IP address (or range(s) of IP addresses) for access to Travelin' Man on TCP port 83
    2. Add new IP address (or range(s) of IP addresses) for remote phone on UDP 5060, 10000-20000, and whatever else you need
    3. Run the Travelin' Man web app which sets up new white list entries for remote phone in IPtables and Asterisk

    The dLink Gaming Routers, for example, let you set up lists of IP addresses including flexible ranges of IPs. You then name them, for example: SanDiegoHotels or BeachHouse.

    Now you have 2 layers of WhiteList security and a much more flexible way to manage all of it with just a browser. This also handles hosting providers that use Dynamic DNS. For example, our provider in the mountains changes IP addresses about as often as teenagers take showers. We rarely have to fiddle with the address range now that we figured out the high end and low end IP addresses. Hope this helps.
  4. eCase New Member

    I didn't realize that the exploit itself was not yet discovered, and instead what was known were the results of the exploit.
    (Even though Ward clearly stated such in the post)

    Sometimes I miss what is right in front of me ;)

    :) I still think the fan club idea is golden - just premature at present :)
  5. markb1439 New Member

    What is the recommendation for a client with multiple operators using Flash Operator Panel 2? They rely on this, which unfortunately is accessed via web.
  6. markb1439 New Member

    This will be very helpful.
  7. newvoiper New Member

    Thanks for the tip! I will have a look at my Tomato router to see if setting up flexible ranges of IP addresses is supported. That certainly sounds like a good way to add another layer of security without too much inconvenience.
  8. wardmundy Nerd Uno

    Got a call from Tony last night. Sounds like this may be a vulnerability in Proxmox rather than PIAF. So you might want to (also) lock down your Proxmox server with a WhiteList if it is exposed to the Internet. :idea:
  9. jroper Guru

    Hi

    Please note that if you are installing iptables on Proxmox, it is not that straight forward, as you have to port forward as well, if you want to allow access, See this post I wrote some time ago for more information.

    Joe
  10. wardmundy Nerd Uno

    Proxmox now installs with IPtables activated. You'll still need to add the desired rules as explained in Joe's post above. HOWEVER...

    We would strongly recommend you NOT enable tcp 80 or 443 in your firewall rules until the current vulnerability has been addressed/resolved.


    Instead, you can securely tunnel into the browser interface of Proxmox through SSH like this:

    1. Log into Proxmox with SSH using the following command with the public IP address or FQDN of your Proxmox server:

    ssh -p 22 -L 8280:localhost:443 root@proxmoxFQDN

    2. While still logged in via SSH, use a browser to go to:

    https://localhost:8280

    3. Log out of SSH when you're finished by typing the following command at the CLI prompt: exit


    EVEN SAFER: If you have a hardware-based firewall between Proxmox and your Internet connection, set up a rule to map some random port (e.g. 42111) to TCP port 22 of your Proxmox private IP address, and then substitute that number for 22 in step #1 above.
  11. womble1 Guru

    Is there any fix out there yet which will stop this problem without fiddling around with firewalls etc… ?
  12. wardmundy Nerd Uno

    If we knew what the problem was, we could offer some suggestions. Until then, the best suggestion is to operate PIAF and Proxmox behind hardware-based firewalls with NO port exposure.
  13. iconicflux Guru

    wanted - hacked system

    If anyone here has a hacked system they can create a virtualmachine from and send it to me, I'd very much appreciate it.

    I've been too busy lately to really give a look to this; however, it looks like I have some time over the next couple of weeks and I'd like to duplicate this vulnerability.

    Thank you,
    Kevin Lynn, CISSP, GWAPT
  14. wardmundy Nerd Uno

    It's been very quiet on the security front. I think I finally tracked down the security vulnerability with Proxmox which appears to be the major hole except... this may also be a problem with ANY Linux 64-bit OS. Check your kernel version now: uname -r. 64-bit kernels at or below 2.6.27 are apparently safe as are kernels as of 2.6.34.6 and above... at least for this vulnerability.

    If you are using a version of Proxmox with OpenVZ support, then your server IS VULNERABLE if it is exposed to the Internet since there currently is no patched kernel with OpenVZ support. Only the Proxmox 2.6.35 kernel is reportedly safe, and it does not support OpenVZ images.

    MORAL: Use Proxmox only behind a secure firewall with a WhiteList for access. If the creeps can get to your web interface to Proxmox, you are dead meat!!!
  15. luckman212 Guru

    Thanks Ward! So does this mean those of us who run standalone, non-Virtualized installations of PiaF are "safe" ?
  16. wardmundy Nerd Uno

    32-bit systems don't have this particular vulnerability. If you have a 64-bit system, you need to run the test. Our recommendation remains to run PIAF behind a hardware-based firewall with NO PORTS EXPOSED TO THE INTERNET.
  17. luckman212 Guru

    Good to know. I only run the 32-bit flavors as I haven't seen any need for 64-bit yet. I expose as few ports as I can but I haven't set up "travelin' man" yet so I do have 5060 open (yikes). I do get a fair amount of hits in Fail2Ban but I use very secure passwords so, hasn't been an issue yet (knock wood). And for some reason I have found that I get 1-way audio from phones that are outside the NAT unless I forward the RTP port range (rtpstart-rtpend) to the LAN IP of the PBX. Not sure why that is, but that's a subject for another thread.
  18. ezekielmudd New Member

    In retrospect, would this slashdot article shed any light on the topic?

    Do you think it was an apache vulnerability all this time?

    If so, how would I go about upgrading apache?
  19. wardmundy Nerd Uno

    Chasing down security vulnerabilities is a lot like playing...

    [IMG]
  20. rjm Guru

    Which test is that Ward?

Share This Page