Re: [sipx-users] Hacked SipXecs 4.4

Tony, You know what? I think everyone is clear on YOUR opinion on the matter. In MY opinion, this is a serious bug. I have created a Jira story: http://track.sipfoundry.org/browse/XX-10529 Next time, I would appreciate constructive comments instead of: "This is only a problem for you... You

Re: [sipx-users] Hacked SipXecs 4.4

That is with ssh open or available from the outside. I still suggest a JIRA... On Nov 16, 2012 6:41 PM, "Noah Mehl" wrote: > I would also like to mention: > > This works for any port, including SIP. There might be huge amounts of > SIP piracy across peoples servers. > > ~Noah > > On Nov 16,

Re: [sipx-users] Hacked SipXecs 4.4

I would also like to mention: This works for any port, including SIP. There might be huge amounts of SIP piracy across peoples servers. ~Noah On Nov 16, 2012, at 6:27 PM, Alan Worstell mailto:aworst...@a-1networks.com>> wrote: What Noah is posting about is correct. SMTP is listening on 127.0

Re: [sipx-users] Hacked SipXecs 4.4

What Noah is posting about is correct. SMTP is listening on 127.0.0.1. However, if you use SSH port redirection, from an outside host you can forward your remote 127.0.0.1:25 to your own 127.0.0.1:25. I just tested this with a development 4.6 server we have, from a system completely off-network

Re: [sipx-users] Hacked SipXecs 4.4

sendmail 10779 root4u IPv4 6764026 0t0 TCP localhost.localdomain:smtp (LISTEN) ~Noah On Nov 16, 2012, at 6:18 PM, Tony Graziano mailto:tgrazi...@myitdepartment.net>> wrote: can you provide the output of: lsof -i | grep LISTEN and post what SMTP is listening to? On Fri, N

Re: [sipx-users] Hacked SipXecs 4.4

can you provide the output of: lsof -i | grep LISTEN and post what SMTP is listening to? On Fri, Nov 16, 2012 at 6:11 PM, Noah Mehl wrote: > This is my problem: > > You are arguing with me when you don't understand how SSH port > forwarding works. > > In the exploit I've illustrated, the p

Re: [sipx-users] Hacked SipXecs 4.4

This is my problem: You are arguing with me when you don't understand how SSH port forwarding works. In the exploit I've illustrated, the port is tunneled via SSH. Then on the remote machine (the sipxecs server) the traffic originates as LOCALHOST. That's why it's a OOTB security flaw. I have

Re: [sipx-users] Hacked SipXecs 4.4

There is that too. I keep bringing it up but he skips over it. In a default sipx installation, the output shows: sendmail TCP localhost.localdomain:smtp (LISTEN) and there are no other entries related to SMTP. So again, something is different here than in all the others (remember that kids game?

Re: [sipx-users] Hacked SipXecs 4.4

Someone else can explain this! I'm tired of arguing…. ~Noah On Nov 16, 2012, at 5:40 PM, Gerald Drouillard mailto:gerryl...@drouillard.ca>> wrote: On 11/16/2012 5:24 PM, Noah Mehl wrote: Shall I make a screencast to explain? No. You cannot cannot to a server port if there is nothing listenin

Re: [sipx-users] Hacked SipXecs 4.4

Hey! FINALLY, I got some information that's actually usefully to me!!! Where is the JIRA link where I can post a bug? Is there a different mailing list for Sipxecs dev? No, my argument is that two users are created by the SipXecs install: PlcmSIp and lvp2890. These user have passwords set in

Re: [sipx-users] Hacked SipXecs 4.4

On 11/16/2012 5:24 PM, Noah Mehl wrote: Shall I make a screencast to explain? No. You cannot cannot to a server port if there is nothing listening on that port. Your sipx server smtp server should only be listening on localhost:smtp not *:smtp Check the output of: lsof -i | grep LISTEN -

Re: [sipx-users] Hacked SipXecs 4.4

You do realize the other side of this argument is that SSH forwarding is enabled by default on Redhat/Centos and that since you have SSH available to the public at large it also makes this an effective use of your system. I think the place for you to ask for a change is submitting a JIRA and posti

Re: [sipx-users] Hacked SipXecs 4.4

Shall I make a screencast to explain? ~Noah On Nov 16, 2012, at 5:20 PM, Noah Mehl mailto:n...@tritonlimited.com>> wrote: Gerald. That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing

Re: [sipx-users] Hacked SipXecs 4.4

Gerald. That's the security hole. I AM ABLE TO CONNECT TO THE LOCAL SMTP SERVICE ON THE SIPXECS SERVER via SSH remotely using the default user/pass of PlcmSIp, utilizing ssh port forwarding. ~Noah On Nov 16, 2012, at 5:17 PM, Gerald Drouillard mailto:gerryl...@drouillard.ca>> wrote: On 11/1

Re: [sipx-users] Hacked SipXecs 4.4

On 11/16/2012 1:57 PM, Noah Mehl wrote: Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs b

Re: [sipx-users] Hacked SipXecs 4.4

Thanks for the confirmation Noah. From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of Noah Mehl Sent: Friday, November 16, 2012 9:52 AM To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Hacked SipXecs 4.4 I can

Re: [sipx-users] Hacked SipXecs 4.4

What Tony meant to say is that in a near future, there will be no longer FTP provisioning for Polycom, so the user will probably be removed. Denying ssh access to polycom user won't affect FTP provisioning and will secure the box against the this exploit itself. Also, if you don't need the forward

Re: [sipx-users] Hacked SipXecs 4.4

OK, The must be some sort of communication issue here. Why would denying ssh access remove a user from the system? I thought provisioning happens via ftp, tftp, http, or https. I'm not talking about deleting the linux user, only specifically denying any ssh access to the sipxecs server for t

Re: [sipx-users] Hacked SipXecs 4.4

It would mean the user would no longer be present on the system because it would not be required. On Fri, Nov 16, 2012 at 2:08 PM, Noah Mehl wrote: > I don't understand: > > "so polycom provisioning in Sipx will cease using ftp and the user > account will be removed at that time and move to ht

Re: [sipx-users] Hacked SipXecs 4.4

I don't understand: "so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS." Why would denying the PlcmSpIp user in the sshd config affect provision? Honestly, the exploit is the ability to use SSH port forwarding with the

Re: [sipx-users] Hacked SipXecs 4.4

Does nobody on the list know what SSH port forwarding is? I am running the first two commands from a remote machine (connecting to the sipxecs machine) in separate terminals to forward my local 25 port to the sipxecs box, and the 25 port on the sipxecs box locally. The third command is run loc

Re: [sipx-users] Hacked SipXecs 4.4

Fwiw I can test the exploit and my ids (commercial snort rules). so polycom provisioning in Sipx will cease using ftp and the user account will be removed at that time and move to http/HTTPS. On Nov 16, 2012 12:52 PM, "Noah Mehl" wrote: > I can confirm that adding: > > DenyUsers PlcmSpIp > >

Re: [sipx-users] Hacked SipXecs 4.4

But there again SMTP is for some reason open on that machine and unless you are also using it as a mail server I don't see the point in making it available to the public at large. Send mail does not need to have SMTP open in order to send. This is yet another thing that confuses me about your firew

Re: [sipx-users] Hacked SipXecs 4.4

On 11/16/2012 12:45 PM, Noah Mehl wrote: Tony, I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/: $sudo ssh -vN -L25:localhost:25 PlcmSpIp@sipxecsip $sudo ssh -vN -R25:l

Re: [sipx-users] Hacked SipXecs 4.4

Fwiw I can test the exploit and my ids (commercial snort rules). Polycom provisioning in Sipx will cease using ftp and the user account will be removed (most likely) when this is done. Your exploit though appears to originate from inside your network though doesn't it? If it originates inside it

Re: [sipx-users] Hacked SipXecs 4.4

I can confirm that adding: DenyUsers PlcmSpIp to /etc/ssh/sshd_config solves this exploit. I'm back to my original opinion that if this user is installed automatically, without my intervention, then that line should be added to the sshd_config. ~Noah On Nov 16, 2012, at 12:46 PM, Noah Mehl m

Re: [sipx-users] Linksys SPA3102 FXO MGW Outbound Calling

Under line - Proxy and Registration - be sure to check "Use Outbound Proxy" and enter an outbound Proxy if not already checked. -Original Message- From: sipx-users-boun...@list.sipfoundry.org [mailto:sipx-users-boun...@list.sipfoundry.org] On Behalf Of ?? Sent: Friday, November 16, 2012 6:

Re: [sipx-users] Hacked SipXecs 4.4

Tony, I just figured out an exploit in 15 minutes with the help of Google http://www.semicomplete.com/articles/ssh-security/: $sudo ssh -vN -L25:localhost:25 PlcmSpIp@sipxecsip $sudo ssh -vN -R25:localhost:25 PlcmSpIp@sipxecsip $telnet localhost 25 Tell me if your ids stops that? This works on

Re: [sipx-users] Hacked SipXecs 4.4

The user doesn't have login via ssh. Ssh in and of itself is not protected and it is exposed. It is trivial to change the user password and/or delete it. We typically don't expose ssh at all. You haven't provides any real evidence that a dictionary attack didn't overwhelm the pam service either.

Re: [sipx-users] Hacked SipXecs 4.4

The only hardening required to solve this particular problem would be an addition to the sshd config: DenyUsers PlcmSpIp I think this should be included in the default distribution of SipXecs isos and/or packages (I've only ever used the iso) because this is something that is specific to the d

Re: [sipx-users] Hacked SipXecs 4.4

It really sounds like you don't have a method to harden your server if you are exposing it. Its entirely possible you were targeted with a ddos attack that overwhelmed the Linux system. If you had properly crafted iptables rules I and ssh protection mechanisms it would most likely not have happened

Re: [sipx-users] Hacked SipXecs 4.4

On 11/16/2012 10:07 AM, Noah Mehl wrote: > Todd, > > The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP > address, which is part of AOL in Nevada I think. I actually have over 80 > different public IP address entries in my log using that user to SSH to my > SipXecs box.

Re: [sipx-users] Hacked SipXecs 4.4

Todd, The private subnet is: 172.16.0.0 - 172.31.255.255. That IP is a public IP address, which is part of AOL in Nevada I think. I actually have over 80 different public IP address entries in my log using that user to SSH to my SipXecs box. I understand that it's a phone system and not a fi

[sipx-users] Linksys SPA3102 FXO MGW Outbound Calling

Has anyone any experience to config Spa3102 outbound call from ext. to PSTN ? I can make call from PSTN to ext. through Spa3102 now. I created unmanaged gateway on Spa3102 and dial plan with prefix 9, but Spa always claimed "not found" when I made outbound call. Regards, Jarvis. _