[App_rpt-users] Server Security
Mike
mm at midnighteng.com
Tue Sep 4 16:15:30 UTC 2018
While I don't have time to get into a in depth discussion on this,
I just want to raise awareness with those that read.
From time to time I remind some folks about some security issues.
It is normally said to anyone to change your ssh port in your first
steps, and most will do that if they know how, but if you don't, please
ask someone as it is important.
The latest ASL package has a nice working firewall that can be enabled
from a command line menu (asl-menu) and there is no excuse for not
enabling this. But I encourage you to do it in the first steps of your
install. You may need to re-run the scripts from the menu as your port
usage changes, but it's still a simple thing to do, even if your command
line skills are low. The dev team did well on this. It's easy !
The reason I am encouraging you to do this in your first steps, within
hours of your install is that I am seeing faster much more craftier
hacks that do not do much more than watch as the server goes up and
capture ssl data and or passwords, but take no initial actions.
Only to come back later and use that data. Really just have their way
with it.
Whole disk back-ups may not be effective in restoring because the
sleeper software may be captured in the backup, so you may just be
giving them a easy in the next time.
Back-up your important conf files separately, no matter what other
method you use.
Marking the 'bad guys' by IP with repetitive rejected attempts is
starting to fail for me on certain servers unrelated to ASL because they
seem to have a unlimited supply of IP's they can use. They don't use the
same IP often the same day, but hit the server twice a minute.
(many hacked systems just become a launching point to hack others and
use your IP).
While I have not seen one of these attacks to any of my ASL servers, I
know it's coming.
I spent the weekend figuring this last one out.
So I remind many of you to take action 'without delay' and do those
basic things to at least slow the progress of hacks.
1 - change your ssh port
2 - Turn on your firewall and do not enable ports not used.
3 - do not use/enable FTP or the ports for it. SFTP is the only method
you should be using.
4 - Back-up your important conf files/scripts separately, no matter what
other method you use.
That will at least slow/stop many amateurs that are working from a how2
they found on the web. Often, when your system is compromised, it may
continue to run as always while they just use it to hack other systems,
so, if you can keep a eye on your cpu/bandwidth usage to see when
something is not normal is a great help.
While doing 'loss prevention', I have been thinking about how to best
defend our ASL servers going forward. Do to the nature of our
international connections, I am thinking we just need to create and
maintain a whitelist of IP's to the 'system IP Tables' as a whole, not
asterisk only. It should be easy since the IP list is shared as it is,
and we just need to add other outside services IP's to that.
But I'm still thinking on it. Perhaps this note will encourage others to
think on it as well. These things always get worse, not better.
I may write/experiment with this 'whitelist' idea this winter, but be
aware, if you are not defending your system, you make it all the easier
to hack others as well. Just because your system is running as intended
does not mean it has not been compromised.
73,
...mike/kb8jnm
More information about the App_rpt-users
mailing list