Remote attacker keeps registering

Discussion in 'General' started by jfalling, Apr 11, 2011.

  1. jfalling

    Joined:
    Apr 11, 2011
    Messages:
    2
    Likes Received:
    0
    A few days ago someone brute-forced a couple of extensions on a box running Elastix 1.6.2-2x.
    After finding this I changed all of the extension secrets (to 10+ alpha-numeric characters) and installed fail2ban.
    A day or so later I found the attacker registered again and the logs showed only three login attempts. The first two failed and the third succeeded which made me wonder they were using an exploit. I changed the secrets again and applied the few updates that were available.

    Come Monday I found they registered again over the weekend and I ended up blocking the /8 they are coming from.

    The box is on the public internet and the passwords for the shell accounts, Elastix UI, and FreePBX were all changed before the box was put into service.

    Have any of you experienced this issue before? If so, did you find what the cause of the problem was or a solution?


    Thank you,

    Jeremy
     
  2. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    Solution is to install CSF firewall and webmin.
    There is a guide in the Latest Elastix Without Tears on how to set it up
     
  3. jfalling

    Joined:
    Apr 11, 2011
    Messages:
    2
    Likes Received:
    0
    Thanks for your reply.

    I was wondering more if there are any known current exploits that an attacker could use to authenticate with an extension without brute forcing an extension.

    The first time the attacker was running a true brute force, however each time since then they have gained entry with only one or two failed attempts before they authenticated. With passwords such "sk39b42a34nvs34s", it is highly unlikely that they could guess the password after three tries.

    I can easily block ip ranges that shouldn't connect to the server but if there is an underling security issue I would much rather patch the hole rather then put a piece of plywood over it.


    Thank you,

    Jeremy
     
  4. agidi

    Joined:
    Jan 13, 2008
    Messages:
    152
    Likes Received:
    0
  5. aglasser

    Joined:
    Jan 28, 2011
    Messages:
    25
    Likes Received:
    0
    Hey, Dave -

    You've mentioned several times and in several different forums that there is an Elastix without Tears guide that touches on CSF. This would indicate that there is a newer guide than the June, 2010 publication.

    Could you provide me a link to this guide? Or a link to the guide with the CSF / Elastix breakdown?

    Regards,

    A. Glasser
     
  6. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    Here is the latest version your after

    Sorry stupid forum will not let me attach a zip or rar file or it might have a size limit, rar file is 7.8MB in size
     
  7. aglasser

    Joined:
    Jan 28, 2011
    Messages:
    25
    Likes Received:
    0
    Surely there is a link to what you're referring to, no?
     
  8. aglasser

    Joined:
    Jan 28, 2011
    Messages:
    25
    Likes Received:
    0
  9. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    Email sent
     

Share This Page