Remote attacker keeps registering

jfalling

Joined
Apr 11, 2011
Messages
2
Likes
0
Points
0
#1
A few days ago someone brute-forced a couple of extensions on a box running Elastix 1.6.2-2x.
After finding this I changed all of the extension secrets (to 10+ alpha-numeric characters) and installed fail2ban.
A day or so later I found the attacker registered again and the logs showed only three login attempts. The first two failed and the third succeeded which made me wonder they were using an exploit. I changed the secrets again and applied the few updates that were available.

Come Monday I found they registered again over the weekend and I ended up blocking the /8 they are coming from.

The box is on the public internet and the passwords for the shell accounts, Elastix UI, and FreePBX were all changed before the box was put into service.

Have any of you experienced this issue before? If so, did you find what the cause of the problem was or a solution?


Thank you,

Jeremy
 

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#2
Solution is to install CSF firewall and webmin.
There is a guide in the Latest Elastix Without Tears on how to set it up
 

jfalling

Joined
Apr 11, 2011
Messages
2
Likes
0
Points
0
#3
Thanks for your reply.

I was wondering more if there are any known current exploits that an attacker could use to authenticate with an extension without brute forcing an extension.

The first time the attacker was running a true brute force, however each time since then they have gained entry with only one or two failed attempts before they authenticated. With passwords such "sk39b42a34nvs34s", it is highly unlikely that they could guess the password after three tries.

I can easily block ip ranges that shouldn't connect to the server but if there is an underling security issue I would much rather patch the hole rather then put a piece of plywood over it.


Thank you,

Jeremy
 

agidi

Joined
Jan 13, 2008
Messages
152
Likes
0
Points
0
#4

aglasser

Joined
Jan 28, 2011
Messages
25
Likes
0
Points
0
#5
Hey, Dave -

You've mentioned several times and in several different forums that there is an Elastix without Tears guide that touches on CSF. This would indicate that there is a newer guide than the June, 2010 publication.

Could you provide me a link to this guide? Or a link to the guide with the CSF / Elastix breakdown?

Regards,

A. Glasser
 

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#6
Here is the latest version your after

Sorry stupid forum will not let me attach a zip or rar file or it might have a size limit, rar file is 7.8MB in size
 

aglasser

Joined
Jan 28, 2011
Messages
25
Likes
0
Points
0
#7
Surely there is a link to what you're referring to, no?
 

aglasser

Joined
Jan 28, 2011
Messages
25
Likes
0
Points
0
#8

DaveD

Joined
Nov 12, 2007
Messages
597
Likes
0
Points
16
#9
Email sent
 

Members online

Latest posts

Forum statistics

Threads
30,898
Messages
130,879
Members
17,560
Latest member
manuelc
Top