Cursos Asterisk en México

Firewall en Asterisk

Colapsar

Anuncio

Colapsar
No hay anuncio todavía.
X
 
  • Filtrar
  • Tiempo
  • Mostrar
Limpiar Todo
nuevos mensajes

  • Firewall en Asterisk

    Estimados todos

    Yo quiero proteger mi servidor asterisk ya que he tenido ataques extranjeros muy peligrosos ya que sacan llamadas a países de Europa y Africa, que opciones me recomiendan para protegerlo

  • #2
    Re: Firewall en Asterisk

    Luis,

    Precisamente el día de hoy he publicado la primera de tres entregas con referencia al modelo de seguridad en Asterisk.

    Si tan solo aplicas lo que viene mencionado en http://asteriskmx.com/2012/03/modelo...-parte-1-de-3/ incrementarás increiblemente la seguridad con la que cuentan.

    Espero el miércoles tener lista la segunda parte, que se referirá a la seguridad desde adentro del sistema, la cual también es sumamente importante.

    Saludos,
    dCAP Christian Cabrera R.
    Para aprender a usar Asterisk, asiste a uno de mis cursos Asterisk
    Si deseas asesoría pagada, por favor contáctame

    Comentario


    • #3
      Re: Firewall en Asterisk

      Muchas gracias Christian lo revisare en este momento

      Comentario


      • #4
        Hola,

        Retomando el tema les comento que mi Asterisk fue hackeado e hicieron llamadas a África y Europa. Afortunadamente el consumo no fue tan grande, aprox 8 mil pesos y al parecer Telmex condonara la deuda debido a que fue robo de la línea.

        Aplique todas las recomendaciones que sugiere Christian en sus artículos de seguridad y con eso he evitado mas ataques/modificaciones en mi Asterisk. Adicional instale el programa Fail2Ban y aplique el filtro que sugiere Christian para SIP y otro para conexiones ssh,

        Solo que tengo una duda en el log /var/log/secure, depsués del ataque modifique el password del root que también se refleja en el log. Lo dejo a continuación:

        Nov 26 04:02:03 elastix runuser: pam_unix(runuser-l:session): session opened for
        user cyrus by (uid=0)
        Nov 26 04:02:03 elastix runuser: pam_unix(runuser-l:session): session closed for
        user cyrus
        Nov 27 04:02:03 elastix runuser: pam_unix(runuser-l:session): session opened for
        user cyrus by (uid=0)
        Nov 27 04:02:03 elastix runuser: pam_unix(runuser-l:session): session closed for
        user cyrus
        Nov 28 04:02:04 elastix runuser: pam_unix(runuser-l:session): session opened for
        user cyrus by (uid=0)
        Nov 28 04:02:04 elastix runuser: pam_unix(runuser-l:session): session closed for
        user cyrus
        Nov 28 16:15:04 elastix sshd[29051]: Did not receive identification string from
        41.131.96.66
        Nov 28 16:16:32 elastix sshd[29056]: Protocol major versions differ for UNKNOWN:
        SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-NmapNSE_1.0
        Nov 28 16:16:32 elastix sshd[29057]: Protocol major versions differ for UNKNOWN:
        SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-Nmap-SSH1-Hostkey
        Nov 28 16:16:36 elastix sshd[29061]: Connection closed by 41.131.96.66
        Nov 28 16:16:36 elastix sshd[29059]: Connection closed by 41.131.96.66
        Nov 28 16:43:20 elastix sshd[29241]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:10:16 elastix sshd[29849]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:10:51 elastix sshd[29863]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:40:48 elastix sshd[30152]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:41:01 elastix sshd[30166]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:41:12 elastix sshd[30181]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:45:31 elastix sshd[30223]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:48:59 elastix sshd[30282]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:50:11 elastix sshd[30309]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:50:24 elastix sshd[30320]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:51:30 elastix sshd[30339]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:53:37 elastix sshd[30360]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:54:02 elastix sshd[30375]: Did not receive identification string from
        UNKNOWN
        Nov 28 17:58:09 elastix sshd[30451]: Did not receive identification string from
        UNKNOWN
        Nov 28 18:03:11 elastix sshd[30523]: Did not receive identification string from
        UNKNOWN
        Nov 28 18:05:25 elastix sshd[30567]: Did not receive identification string from
        UNKNOWN
        Nov 29 04:02:05 elastix runuser: pam_unix(runuser-l:session): session opened for
        user cyrus by (uid=0)
        Nov 29 04:02:05 elastix runuser: pam_unix(runuser-l:session): session closed for
        user cyrus
        Nov 29 09:21:46 elastix sshd[4209]: pam_unix(sshd:auth): authentication failure;
        logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.190 user=root
        Nov 29 09:21:47 elastix sshd[4209]: Failed password for root from 192.168.1.190
        port 49892 ssh2
        Nov 29 09:21:59 elastix sshd[4209]: Accepted password for root from 192.168.1.19
        0 port 49892 ssh2
        Nov 29 09:21:59 elastix sshd[4209]: pam_unix(sshd:session): session opened for u
        ser root by (uid=0)
        Nov 29 09:21:59 elastix sshd[4209]: subsystem request for sftp
        Nov 29 10:04:09 elastix sshd[4209]: Received disconnect from 192.168.1.190: 11:
        User exit
        Nov 29 10:04:09 elastix sshd[4209]: pam_unix(sshd:session): session closed for u
        ser root
        Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
        USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
        Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
        USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
        Nov 29 14:21:08 elastix sshd[6790]: Did not receive identification string from U
        NKNOWN
        Nov 29 14:22:55 elastix sshd[6838]: Did not receive identification string from U
        NKNOWN
        Nov 29 16:07:40 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=
        root ; COMMAND=/usr/bin/nmap -sP -n 192.168.1.0/24
        Nov 29 17:44:20 elastix sshd[9174]: Accepted password for root from 192.168.1.19
        0 port 58573 ssh2
        Nov 29 17:44:20 elastix sshd[9174]: pam_unix(sshd:session): session opened for u
        ser root by (uid=0)
        Nov 29 17:44:20 elastix sshd[9174]: subsystem request for sftp
        Nov 29 17:46:54 elastix passwd: pam_unix(passwd:chauthtok): password changed for
        root
        Nov 29 17:47:21 elastix sshd[9174]: Received disconnect from 192.168.1.190: 11:
        User exit
        Nov 29 17:47:21 elastix sshd[9174]: pam_unix(sshd:session): session closed for u
        ser root
        Nov 29 17:47:40 elastix sshd[9278]: Accepted password for root from 192.168.1.19
        0 port 58601 ssh2
        Nov 29 17:47:40 elastix sshd[9278]: pam_unix(sshd:session): session opened for u
        ser root by (uid=0)
        Nov 29 17:47:40 elastix sshd[9278]: subsystem request for sftp
        Nov 29 17:47:47 elastix sshd[9278]: Received disconnect from 192.168.1.190: 11:
        User exit
        Nov 29 17:47:47 elastix sshd[9278]: pam_unix(sshd:session): session closed for u
        ser root
        Nov 30 04:02:05 elastix runuser: pam_unix(runuser-l:session): session opened for
        user cyrus by (uid=0)
        Nov 30 04:02:05 elastix runuser: pam_unix(runuser-l:session): session closed for
        user cyrus
        Nov 30 10:39:47 elastix sshd[15897]: Accepted password for root from 192.168.1.1
        90 port 51162 ssh2
        Nov 30 10:39:47 elastix sshd[15897]: pam_unix(sshd:session): session opened for
        user root by (uid=0)
        Nov 30 10:39:47 elastix sshd[15897]: subsystem request for sftp
        Nov 30 11:54:02 elastix sshd[16551]: Did not receive identification string from
        UNKNOWN

        Lo que puedo entender es que se han abiero y cerrado sesiones con un usuario Cyrus. Lo busque y dice lo siguiente:

        cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

        Adicional en el server de Asterisk tengo un CRM (Sugar) que envía correos en ciertas casos. Las conexiones de dicho usuario se deben al envío de correos?

        Tengo conexiones desde 41.131.96.66 que imagino que es del intruso. Y la duda es sobre como saber la dirección IP y en que afecta los comando ejecutados de las lineas siguientes, debido a que yo no los realicé

        Nov 28 16:16:32 elastix sshd[29056]: Protocol major versions differ for UNKNOWN:
        SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-NmapNSE_1.0
        Nov 28 16:16:32 elastix sshd[29057]: Protocol major versions differ for UNKNOWN:
        SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-Nmap-SSH1-Hostkey
        Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
        USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
        Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
        USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
        Nov 29 14:21:08 elastix sshd[6790]: Did not receive identification string from U
        NKNOWN

        Alguna recomendación adicional para evitar futuros ataques?

        Saludos y gracias.

        Comentario

        Nube de Etiquetas

        Colapsar

        Principales Usuarios Activos

        Colapsar

        No hay usuarios activos superiores.
        Trabajando...
        X