[App_rpt-users] Server Security

[Mike]

While I don't have time to get into a in depth discussion on this,
I just want to raise awareness with those that read.

 From time to time I remind some folks about some security issues.

It is normally said to anyone to change your ssh port in your first 
steps, and most will do that if they know how, but if you don't, please 
ask someone as it is important.

The latest ASL package has a nice working firewall that can be enabled 
from a command line menu (asl-menu) and there is no excuse for not 
enabling this. But I encourage you to do it in the first steps of your 
install. You may need to re-run the scripts from the menu as your port 
usage changes, but it's still a simple thing to do, even if your command 
line skills are low. The dev team did well on this. It's easy !

The reason I am encouraging you to do this in your first steps, within 
hours of your install is that I am seeing faster much more craftier 
hacks that do not do much more than watch as the server goes up and 
capture ssl data and or passwords, but take no initial actions.
Only to come back later and use that data. Really just have their way 
with it.
Whole disk back-ups may not be effective in restoring because the 
sleeper software may be captured in the backup, so you may just be 
giving them a easy in the next time.

Back-up your important conf files separately, no matter what other 
method you use.

Marking the 'bad guys' by IP with repetitive rejected attempts is 
starting to fail for me on certain servers unrelated to ASL because they 
seem to have a unlimited supply of IP's they can use. They don't use the 
same IP often the same day, but hit the server twice a minute.
(many hacked systems just become a launching point to hack others and 
use your IP).

While I have not seen one of these attacks to any of my ASL servers, I 
know it's coming.

I spent the weekend figuring this last one out.
So I remind many of you to take action 'without delay' and do those 
basic things to at least slow the progress of hacks.

1 - change your ssh port
2 - Turn on your firewall and do not enable ports not used.
3 - do not use/enable FTP or the ports for it. SFTP is the only method 
you should be using.
4 - Back-up your important conf files/scripts separately, no matter what 
other method you use.

That will at least slow/stop many amateurs that are working from a how2 
they found on the web. Often, when your system is compromised, it may 
continue to run as always while they just use it to hack other systems, 
so, if you can keep a eye on your cpu/bandwidth usage to see when 
something is not normal is a great help.

While doing 'loss prevention', I have been thinking about how to best 
defend our ASL servers going forward. Do to the nature of our 
international connections, I am thinking we just need to create and 
maintain a whitelist of IP's to the 'system IP Tables' as a whole, not 
asterisk only. It should be easy since the IP list is shared as it is, 
and we just need to add other outside services IP's to that.

But I'm still thinking on it. Perhaps this note will encourage others to 
think on it as well. These things always get worse, not better.
I may write/experiment with this 'whitelist' idea this winter, but be 
aware, if you are not defending your system, you make it all the easier 
to hack others as well. Just because your system is running as intended 
does not mean it has not been compromised.

73,
...mike/kb8jnm