Firewall en Asterisk

**Christian Cabrera** · 03-05-2012, 05:00 PM

Re: Firewall en Asterisk

Luis,

Precisamente el día de hoy he publicado la primera de tres entregas con referencia al modelo de seguridad en Asterisk.

Si tan solo aplicas lo que viene mencionado en http://asteriskmx.com/2012/03/modelo...-parte-1-de-3/ incrementarás increiblemente la seguridad con la que cuentan.

Espero el miércoles tener lista la segunda parte, que se referirá a la seguridad desde adentro del sistema, la cual también es sumamente importante.

Saludos,

**solin182** · 03-06-2012, 12:55 PM

Re: Firewall en Asterisk

Muchas gracias Christian lo revisare en este momento

**josefors** · 11-30-2012, 01:17 PM

Hola,

Retomando el tema les comento que mi Asterisk fue hackeado e hicieron llamadas a África y Europa. Afortunadamente el consumo no fue tan grande, aprox 8 mil pesos y al parecer Telmex condonara la deuda debido a que fue robo de la línea.

Aplique todas las recomendaciones que sugiere Christian en sus artículos de seguridad y con eso he evitado mas ataques/modificaciones en mi Asterisk. Adicional instale el programa Fail2Ban y aplique el filtro que sugiere Christian para SIP y otro para conexiones ssh,

Solo que tengo una duda en el log /var/log/secure, depsués del ataque modifique el password del root que también se refleja en el log. Lo dejo a continuación:

Nov 26 04:02:03 elastix runuser: pam_unix(runuser-l:session): session opened for
user cyrus by (uid=0)
Nov 26 04:02:03 elastix runuser: pam_unix(runuser-l:session): session closed for
user cyrus
Nov 27 04:02:03 elastix runuser: pam_unix(runuser-l:session): session opened for
user cyrus by (uid=0)
Nov 27 04:02:03 elastix runuser: pam_unix(runuser-l:session): session closed for
user cyrus
Nov 28 04:02:04 elastix runuser: pam_unix(runuser-l:session): session opened for
user cyrus by (uid=0)
Nov 28 04:02:04 elastix runuser: pam_unix(runuser-l:session): session closed for
user cyrus
Nov 28 16:15:04 elastix sshd[29051]: Did not receive identification string from
41.131.96.66
Nov 28 16:16:32 elastix sshd[29056]: Protocol major versions differ for UNKNOWN:
SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-NmapNSE_1.0
Nov 28 16:16:32 elastix sshd[29057]: Protocol major versions differ for UNKNOWN:
SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-Nmap-SSH1-Hostkey
Nov 28 16:16:36 elastix sshd[29061]: Connection closed by 41.131.96.66
Nov 28 16:16:36 elastix sshd[29059]: Connection closed by 41.131.96.66
Nov 28 16:43:20 elastix sshd[29241]: Did not receive identification string from
UNKNOWN
Nov 28 17:10:16 elastix sshd[29849]: Did not receive identification string from
UNKNOWN
Nov 28 17:10:51 elastix sshd[29863]: Did not receive identification string from
UNKNOWN
Nov 28 17:40:48 elastix sshd[30152]: Did not receive identification string from
UNKNOWN
Nov 28 17:41:01 elastix sshd[30166]: Did not receive identification string from
UNKNOWN
Nov 28 17:41:12 elastix sshd[30181]: Did not receive identification string from
UNKNOWN
Nov 28 17:45:31 elastix sshd[30223]: Did not receive identification string from
UNKNOWN
Nov 28 17:48:59 elastix sshd[30282]: Did not receive identification string from
UNKNOWN
Nov 28 17:50:11 elastix sshd[30309]: Did not receive identification string from
UNKNOWN
Nov 28 17:50:24 elastix sshd[30320]: Did not receive identification string from
UNKNOWN
Nov 28 17:51:30 elastix sshd[30339]: Did not receive identification string from
UNKNOWN
Nov 28 17:53:37 elastix sshd[30360]: Did not receive identification string from
UNKNOWN
Nov 28 17:54:02 elastix sshd[30375]: Did not receive identification string from
UNKNOWN
Nov 28 17:58:09 elastix sshd[30451]: Did not receive identification string from
UNKNOWN
Nov 28 18:03:11 elastix sshd[30523]: Did not receive identification string from
UNKNOWN
Nov 28 18:05:25 elastix sshd[30567]: Did not receive identification string from
UNKNOWN
Nov 29 04:02:05 elastix runuser: pam_unix(runuser-l:session): session opened for
user cyrus by (uid=0)
Nov 29 04:02:05 elastix runuser: pam_unix(runuser-l:session): session closed for
user cyrus
Nov 29 09:21:46 elastix sshd[4209]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.190 user=root
Nov 29 09:21:47 elastix sshd[4209]: Failed password for root from 192.168.1.190
port 49892 ssh2
Nov 29 09:21:59 elastix sshd[4209]: Accepted password for root from 192.168.1.19
0 port 49892 ssh2
Nov 29 09:21:59 elastix sshd[4209]: pam_unix(sshd:session): session opened for u
ser root by (uid=0)
Nov 29 09:21:59 elastix sshd[4209]: subsystem request for sftp
Nov 29 10:04:09 elastix sshd[4209]: Received disconnect from 192.168.1.190: 11:
User exit
Nov 29 10:04:09 elastix sshd[4209]: pam_unix(sshd:session): session closed for u
ser root
Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
Nov 29 14:21:08 elastix sshd[6790]: Did not receive identification string from U
NKNOWN
Nov 29 14:22:55 elastix sshd[6838]: Did not receive identification string from U
NKNOWN
Nov 29 16:07:40 elastix sudo: asterisk : TTY=unknown ; PWD=/var/www/html ; USER=
root ; COMMAND=/usr/bin/nmap -sP -n 192.168.1.0/24
Nov 29 17:44:20 elastix sshd[9174]: Accepted password for root from 192.168.1.19
0 port 58573 ssh2
Nov 29 17:44:20 elastix sshd[9174]: pam_unix(sshd:session): session opened for u
ser root by (uid=0)
Nov 29 17:44:20 elastix sshd[9174]: subsystem request for sftp
Nov 29 17:46:54 elastix passwd: pam_unix(passwd:chauthtok): password changed for
root
Nov 29 17:47:21 elastix sshd[9174]: Received disconnect from 192.168.1.190: 11:
User exit
Nov 29 17:47:21 elastix sshd[9174]: pam_unix(sshd:session): session closed for u
ser root
Nov 29 17:47:40 elastix sshd[9278]: Accepted password for root from 192.168.1.19
0 port 58601 ssh2
Nov 29 17:47:40 elastix sshd[9278]: pam_unix(sshd:session): session opened for u
ser root by (uid=0)
Nov 29 17:47:40 elastix sshd[9278]: subsystem request for sftp
Nov 29 17:47:47 elastix sshd[9278]: Received disconnect from 192.168.1.190: 11:
User exit
Nov 29 17:47:47 elastix sshd[9278]: pam_unix(sshd:session): session closed for u
ser root
Nov 30 04:02:05 elastix runuser: pam_unix(runuser-l:session): session opened for
user cyrus by (uid=0)
Nov 30 04:02:05 elastix runuser: pam_unix(runuser-l:session): session closed for
user cyrus
Nov 30 10:39:47 elastix sshd[15897]: Accepted password for root from 192.168.1.1
90 port 51162 ssh2
Nov 30 10:39:47 elastix sshd[15897]: pam_unix(sshd:session): session opened for
user root by (uid=0)
Nov 30 10:39:47 elastix sshd[15897]: subsystem request for sftp
Nov 30 11:54:02 elastix sshd[16551]: Did not receive identification string from
UNKNOWN

Lo que puedo entender es que se han abiero y cerrado sesiones con un usuario Cyrus. Lo busque y dice lo siguiente:

cyrus:x:76:12:Cyrus IMAP Server:/var/lib/imap:/bin/bash

Adicional en el server de Asterisk tengo un CRM (Sugar) que envía correos en ciertas casos. Las conexiones de dicho usuario se deben al envío de correos?

Tengo conexiones desde 41.131.96.66 que imagino que es del intruso. Y la duda es sobre como saber la dirección IP y en que afecta los comando ejecutados de las lineas siguientes, debido a que yo no los realicé

Nov 28 16:16:32 elastix sshd[29056]: Protocol major versions differ for UNKNOWN:
SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-NmapNSE_1.0
Nov 28 16:16:32 elastix sshd[29057]: Protocol major versions differ for UNKNOWN:
SSH-2.0-OpenSSH_4.3 vs. SSH-1.5-Nmap-SSH1-Hostkey
Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
Nov 29 11:01:29 elastix sudo: uucp : TTY=unknown ; PWD=/var/spool/hylafax ;
USER=root ; COMMAND=/bin/chmod 777 -R /var/www/html/faxes/recvd
Nov 29 14:21:08 elastix sshd[6790]: Did not receive identification string from U
NKNOWN

Alguna recomendación adicional para evitar futuros ataques?

Saludos y gracias.

Firewall en Asterisk

Anuncio