TIPS Some devices getting through iptables HELP!

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
Last night my system was hacked, and I decided to re-install the whitelisted locations with TravelinMan3. However, I started with the command ./secure-iptables, and was surprised to find that several devices are getting through, and connecting to the server, even though I haven't added any locations yet. Several are OBI ATA's, but a few are Aastra 6757i phones.

Can anyone help me figure this out? I think this is the way the hacker was able to gain access, but I'm not sure.

Are there any other files which somehow might add accepted rules to the firewall?

Thanks for any suggestions
 

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
If I run that right after ./secure-iptables, all I see are the entries for the trusted providers, and my own IP address, as well as the local addresses at the end. The addresses of the devices connecting to the server are not included in the listing. I just ran it again, and other than my own devices at home, there are three OBI units, and two phones connected from addresses that are not in iptables. Can I run some sort of Reject ALL at the top, and then the Accept rules following that? Would that be a good idea? I do know that when I created a Reject rule for the IP that had mimicked one of my extensions, the connection disappeared.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Where is your server and what is your platform? Does the Asterisk call log actually show an IP address for the intruder? This address obviously should never appear in the iptables -nL listing.

Please tell me what this means and how you know: "several devices are getting through, and connecting to the server."
 

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
This is a server at RentPBX, and it is Centos 5.5, Asterisk .4.41, FreePBX 2.9.0.15. The caller was logged on as an extension, and I was able to see the IP address in the "peers" listing under Asterisk Info. This is also where I was able to see that several devices were connected, even though the IP addresses were not white-listed at the time.

Since I re-did all the Add-IP and add-fqdn, there are still a few attempts, although not the same. These show an IP address in the call reports, although they did not complete. The offending IP's are 211.39.147.185, and 52.16.31.100, but I can't find out where these are...
 

MGD4me

Guru
Joined
Feb 3, 2009
Messages
505
Reaction score
109
IP address 52.16.31.100 is Amazon Technologies in Dublin, Ireland
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
That is very old and probably vulnerable software across the board. I would ask the RentPBX folks to build you a new Incredible PBX server with the latest security fixes... after you write down your current FreePBX settings.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I decided to re-install the whitelisted locations with TravelinMan3.
What state did you take the system back to before re-installing the locations?

Is the "secure-iptables" script the one from here: http://incrediblepbx.com/travelinman3.tar.gz ?

Are there fqdn's in /etc/sysconfig/iptables?

Iptables is open for some minimal seconds at boot if fqdn's are included in the boot rules. Minimal, but potentially more than enough time for existing, actively retrying endpoints (or hacks) to connect.
 

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
The problems I have with an update are these:
1-I have a server with Incredible 12, and I figured out how to get the old Aastra scripts installed and running. However, the phones keep losing registration, and I don't know why.
2-I don't know a migration path that keeps settings, and I have over 60 phones in several different cities, which would need to be manually set up the first time (this one I can get others to do)
3-I have over 100 inbound routes, to accommodate special customer/location/area code rules, which will take several hours to set up.

If I can find out the solution to question 1, I can deal with the other two - eventually...

There are approximately 32 entries in TravelinMan 3, and only about 7 are static IP. All the rest are fqdn.
 

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
Just to follow up, I tried to install the current (?) version of the TravelinMan3 from your May 21 2014 page on security, and the process failed at yum -y install bind-utils, with the error "Error performing checksum"
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
This is a server at RentPBX, and it is Centos 5.5, Asterisk .4.41, FreePBX 2.9.0.15. The caller was logged on as an extension, and I was able to see the IP address in the "peers" listing under Asterisk Info. This is also where I was able to see that several devices were connected, even though the IP addresses were not white-listed at the time.

Since I re-did all the Add-IP and add-fqdn, there are still a few attempts, although not the same. These show an IP address in the call reports, although they did not complete. The offending IP's are 211.39.147.185, and 52.16.31.100, but I can't find out where these are...

Open /etc/sysconfig/iptables, find the line:
Code:
-A INPUT -i lo -j ACCEPT

Just below that line, insert the following:

Code:
-A INPUT -s 211.39.147.185 -j DROP
-A INPUT -s 52.16.31.100 -j DROP

Save the file and restart IPtables: iptables-restart

Check your logs regularly. Something is seriously wrong with your firewall setup!!

I would start planning for a migration immediately!!!
 
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
This is a server at RentPBX, and it is Centos 5.5, Asterisk .4.41, FreePBX 2.9.0.15. The caller was logged on as an extension, and I was able to see the IP address in the "peers" listing under Asterisk Info. This is also where I was able to see that several devices were connected, even though the IP addresses were not white-listed at the time.

Since I re-did all the Add-IP and add-fqdn, there are still a few attempts, although not the same. These show an IP address in the call reports, although they did not complete. The offending IP's are 211.39.147.185, and 52.16.31.100, but I can't find out where these are...
The first IP is Korea

https://www.ultratools.com/tools/ipWhoisLookup
 

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Hi rchalk

First of all I'm sorry you got hacked. Hope the bill was not huge.
Second, thank you for letting us know. It's important we get reminded that it can happen to anyone and that security is top priority for any pbx owner
Other than that the first address that entered your system is a Korean IP which is also included in some blacklists online probably because of the sheer number of hacking attempts already performed
Now what I would do if I were you. Save an image of your hacked system in order to analyze it and see how the hack happened although my guess is through a vulnerability since your Asterisk version has confirmed, medium risk vulnerabilities
Safest thing to do, document your system if you haven't done so already (routes extensions ecc) and wipe everything clean. Then use latest Asterisk with IncredibleGUI and set it up again. It's hard work but you will be sure that your system is clean and doesn't contain something the hacker left behind (tampered files, backdoors, malicious scripts ecc)
One more thing. I understand that your system is a production system and it has to be stable so you can't really upgrade it continuously. However try to stay in pace at least with the minor upgrades and once a system is EOL you should start to work on an upgrade path. 1.4 has been declared EOL in mid 2012 and in 4 years computing has increased (easier brute-forcing) and hacking tools got better. You instead got left behind with a vulnerable system.
Sorry to sound so pedantic and please don't take any offense. I'm saying all this because we also have incredible tools in our hands with excellent security measures (like IncrediblePBX which is light years ahead security-wise compared to other famous asterisk distros) but we must always remember to stay alert and NOT fall behind. It really pains me to see hacked boxes and hard earned money thrown down the drain for nothing
Hope you sort this out in the best way possible
Regards

Edit: It was a long post, so the gentlemen above beat me in time with their suggestions
 
Last edited:

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
@Rchallk,

Two links you might want to review --
http://blog.ls20.com/securing-your-asterisk-voip-server-with-iptables/
http://pbxinaflash.com/community/threads/iptables-how-to-block-a-target-ip.14094/#post-90182

As far as migration first you need to decide what you are migrating to --- I have used the bulk export / import features in the
past with FreePBX to move Extensions & Inbound Routing tables between major versions -

Or you can put some SQL together to export and import the basics and then apply any custom changes --

-------------------------
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Ideally a clean install would be best, but if not possible, get someone who can better determine what is really happening involved.

I could give a laundry list of steps to try, we could go back and forth and talk past each other as often happens in this type of communication and ultimately waste hours of time.

Chances are a skilled person with console access could determine the real issue in minutes and have a valid opinion if a rebuild really is the only valid option.

At the very least, boot with a truly secured firewall and build up your needed access in steps. For a production system, there will probably be some downtime.
 

rchalk

Active Member
Joined
Feb 19, 2010
Messages
403
Reaction score
55
Thank you all for your comments. First of all, the loss was about $100, so not catastrophic, just annoying. I did do a reset of the TravelinMan whitelist, as well as adding a couple of lines to block specific IP addresses to iptables, and things seem to be OK now. I still can't figure out how a few phones still manage to register though, even after I run "secure iptables" which should block everything except my own devices.

I am in the process of setting up a new server, using IncrediblePBX 12. This will take a few hours due to the sheer number of settings, but once done, I can get my customer's help to migrate the phones. Fortunately, I have all the phones pointing to a domain name, so all I have to do there is change the associated IP address, and have them restart the phones. Then they can enter the device number and password, and the phones will reconfigure, and things should be OK. I will keep the old one intact, so I will have a backup server ready in case of issues.

to phonebuff - if you can help me with the copying of the configurations between the two systems, I would really appreciate it. I am not familiar with the bulk import-export functions. Can you tell me where to look, or is this not included in the early versions.?

Thanks again.everyone
 

progs_00

Active Member
Joined
Jan 6, 2014
Messages
132
Reaction score
37
Hi rchalk
Great to hear the damage was contained
I would advise you to change every phone password to a secure one using the new pseudo-random password generator of FreePBX and since you are dong the dirty work, check the phone settings for something that might have slipped. Also if you can, constrain the phones gui to some basic settings so that users won't start fiddling with them
Good idea on keeping the old server intact. What I usually do is keep it for a month, then convert it to a vmware image and if the old PC is still good enough, I make a mirror of the new pc and install it to the old one. Better to have an old PC than no PC at all when the time comes (and it WILL come)
As far as the backups go, phonebuff chan help you but even if the bulk export option doesn't exist for your old system, you can export the necessary tables from mysql (manually or with phpmyadmin), check to see the differences between the old format and the new, make the changes and import. It's a little bit of work, but nothing terrible

I'm wishing you good luck and stay safe
 

phonebuff

Guru
Joined
Feb 7, 2008
Messages
1,115
Reaction score
129
@chralk --

Have you looked -- I have an old version in my VM Box with FreePBX 2.11.0 and it has Applications --> Bulk extensions.. Don't remember which version added similar features for Routes,

What options you have will be based on what combinations of components you are working with --

If you want to do it with custom SQL / CSV files then look at mysql - for copy to csv or post a bounty to get someone to do it for you..

===============
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top