web interface missing

Discussion in 'General' started by rollinsolo, Apr 16, 2010.

  1. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    it seems as if one of my systems was compromised today not for the voice but for the mailing feature which I am sure is just as popular, it seems they got in through cyrus-imapd and somehow created a user to belong to mailgroup and were executing pop, I stopped this and totally removed postfix and cyrus-imapd from the system but then I was faced with the challenge that all I had showing now was the welcome screen from apache, I looked in the /var/www/html and a lot was missing, so I did a re-install everything was fine ran a backup, and after I installed aastra xml scrips using the latest script from aastra's site I looked good to go, I left to come back to the customer site to recconect the phones and by the time i got here the apache welcome site was back and I had no way to get into the web interface. I am running Elastix 1.3.

    I am about to perform another install but this time install xml by hand, no script, I think the one from the latest is for a later version of elastix and will see from there. If anyone has had a similar issue lets figure it out to make sure it doesn't happen again, and of course I will share with anyone once I know.
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    My guess is you were compromised through roundcube you should delete the /var/www/html/mail directory ASAP or the bots out there will just reinfect you (they have your number !! ), also look into rkhunter or similar, to watch for untoward changes on your system.

    dicko
     
  3. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    +1 to you again my friend, for my customers not using voicemail to email at all or fax to email, is it extra safe to yum remove postfix, and yum remove cyrus-imapd as well? I am working on the rkhunter (really rtfm first) and going from there. I am mostly concerned that they were able to create a user, do you think that was a roundcube user and they just got in through the standard password to create a new user.
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I have experienced this penetration in the past, but noticing it was from the roundcube client (and apparently as the user asterisk), and having absolutely no need for a webmail client, I took the path of least resistance and I just consigned that piece of code to the trash, probably I should have tracked down the vulnerability, but I'm lazy.

    The mail services remain and continue to "call the boss" with the various cron job errors (including rkhunter), and service the fax and vmail notifications without problem. But as a precaution and because I rarely use the SMTP services I move that particular service from 25 to "somewhere completely different"

    As to rkhunter, the trick is to, as you say, A ) RTFM (twice), and B ) iterate between rkhunter -c and editing /etc/rkhunter.conf, until there are no errors, the rkhunter.conf is well documented as to how to accept the peculiarities of this particular (Centos) system. I suggest you get and build it from source as the yum available ones seem a little stale.

    regards

    dicko
     
  5. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    Have you ever heard of peer guardian, I wish there was someway we could tap into those list to have them host.deny and auto update all the time or everyone contribute to a master list and auto update from that as they come in, I am sure it would catch on and yet still just be another layer of security.
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    You might want to look into the lighter weight configserver's csf firewall ( I think ramoncio posted about this one a few weeks (months) ago), it will largely honor those blacklisted addresses in the many lists out there if configured to so do.

    dicko
     
  7. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    +1 again for the CSF suggestion easy to set up and get all green, just curious, I want to double check the ports I need open for a functioning elastix, voicemail2email, fax2email and xml scripts etc. Do I have to leave mDNSResponder running or is that just once the phones are set up I can turn that off, also I learned quick to add the subnet that the ip phones reside on or else no service for them, I am working off of 22(not really changed this port), 80,443,5061tcp,5060(udp both),udp 10000-20000, 1194 udp. I know 69 is for tftp and should most likely be open for any auto provisioning but closed if I dont need it, so any other ports that are important to elastix functionality, a lot of my customers use T-1 for their voice so I dont require some of the sip and Iax2 ports to be open but any others you can think of would be appreciated.
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    from you machine

    netstat -naut

    will identify what is open, probably all the tcp ports needs appropriate attention, all the udp below 1024 also (plus the obvious rtp connections) anything else is probably "suspicious"

    If you are multi-homed (routing) yet trust your LAN, just have CSF attend to the WAN interface to save you problems. CSF is not ideal for routers there is always Arno's stufffor that.

    dicko

    p.s. If you are "all green" be careful of putting /tmp in ram, FreePBX will eventually Eff you on backups.
    p.p.s. I note your other post, ++rollinsolo.karma for "getting-it" and contributing.
     
  9. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    so I should not have mounted /tmp and symlinked /var/tmp, good to know, is there anything else you normally delete from /var/www/html/ that most do not use and could pose a vulnerability, I do not use Elastix in production for anything but voice, fax, dont use the chat, dont need the webmail, CRM etc.
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The basic linux idea is that /tmp is transitory over a reboot, so it rightly belongs in ram, as many "root" exploits will be able to (and IMHO wrongly in Elastix) write to /tmp and if possible put a cron job to run it after the reboot, you get re-hosed over the reboot, unfortunately FreePBX and who knows what else, likes to use /tmp and put shit-loads into it. (they should use somewhere else) so when your ram fills up with the un-removed crap (better housekeeping is needed, but that's another story in another forum) your system will die. The downside is that if you leave it on a permanent file-system, the knuckle-draggers can still own you.

    dicko

    p.s. unless you need it (and believe me, you don't, any real email client can talk to the Elastix mail server much more securely) delete /var/www/html/mail or you will be embarrassed later (roundcubemail in Elastix is totally compromised)

    check that yoou have tightened up http(s)://<you>/admin and http(s)://<you>/recordings against the "well knowns"
     
  11. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    Got it thank you again my man.
     
  12. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    Wow ok I guess I do not got it lol, I might even never use that phrase again in reference to any of this, hahah, anyways CSF is performing strangely when I have it running, on my machine, I could not access the Elastix.org website. When I turn it off I got right on. As well the customer that I put CSF on that was compromised via roundcube and my negligence could not intraoffice dial from one extension to another until I turned off the firewall, I did allow their ip range and subnet in the allowed ip section of csf because I would prefer to leave it running. Any thoughts as to what I am doing wrong.
     
  13. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The basic rules are in these few lines

    ETH_DEVICE =
    # If you don't want iptables rules applied to specific NICs, then list them in
    # a comma separated list (e.g "eth1,eth2")
    ETH_DEVICE_SKIP =
    # Lists of ports in the following comma separated lists can be added using a
    # colon (e.g. 30000:35000).
    # Allow incoming TCP ports
    TCP_IN =
    # Allow outgoing TCP ports
    TCP_OUT =
    # Allow incoming UDP ports
    UDP_IN =

    if you are multihomed, just apply it to the WAN interface

    your outbound tcp line might look like

    20,21,22,25,43,53,80,110,113,443,22
    and tcp in

    25,53,80,110,143,443,465,587,993,995,22,5038,4559

    for example

    and your udp lines something like

    20,21,53,69,123,113,123,4569,5060:5070,10000:20000

    etc.

    The log file is at

    /etc/csf/stats/iptables_log
     
  14. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    Ever since messing around with CSF for myself I am having quite a few problems of my own, my CPU is now steadily at 50% and normally running idle I am usually less than 1% any Ideas what to check and how to stop the resource hog.
     
  15. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    top

    to start
     
  16. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    Man a couple of reboots later and all is fine, I would still like to know how to fix that without the reboot sometimes.
     
  17. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    you have to diagnose the problem (here quickly with top) or the state of the machine goes away and it becomes harder, look for big files in /var/log and explore them for hung processes, often asterisk/full or messages are the likely culprits.
     
  18. rollinsolo

    Joined:
    Feb 11, 2009
    Messages:
    279
    Likes Received:
    0
    also after making some changes, now the customer cannot intraoffice dial, I had to perform a re-install with aastra xml scripts too, do you think something broke along the way.
     

Share This Page