Severe Security Warning - Extensions with matching secret

On this note secret=1234 is not ok either.....

This is a reason to use FTP instead of TFTP if you are provisioning phones over the internet. FTP will allow you to use a username and password. Even though that username and password traverses the internet in plaintext, it is still much more secure than TFTP with no password.

Should be nice if the freePBX GUI could generate a strong password when configuring an extention. But if you have to much extentions it is much easier and faster to just configure your firewall to only alowed know IP adresses to get access to the trixbox asterisk server. Of course you can not do that with a cheap linksys firewall.

You can add permit/deny statements in SIP peers in Asterisk. You would have to manually edit the sip_custom_post.conf and then add the peer additions like this:

[100]
deny=0.0.0.0/0.0.0.0
permit=4.2.2.0/255.255.255.0

It is preferred to use an access list in firewall/router. This is a good way to lock down the application.

You can also add use these statements in sip_general_custom.conf for all peers that don't explicitly have an access list.

We are testing a patch right now that we wrote that will give you a stern warning if you try to use the same secret as the extension number. As soon as we finish testing it we will submit it to FreePBX.

Why not add a lithle more code and have it generate a secure password. Then CE realy start to add value to freepbx

Why does everyone end warnings with "We are Not Dentists..."

Some of us are or will be soon enough..

but thanks for the heads up - i know one person whos corporate system was "hacked" this past weekend and 22000 (yes, 22K) calls were made to USA numbers over their PRI. 15k actually went through, costing about $500 in damages - nothing to break the bank for them, but still a significant amount.

There are scripts out there that will attempt to brute force your password so don't be thinking its ok as long as its not the same as your extension number. If it can be cracked in X amount of time youre vulnerable, svcrack can make 7 million attempts a day under ideal conditions.

I guess this is why someone kept going on about fail2ban ....

This warning is only a stop-gap method and warns you to use strong passwords. Since passwords dont have to be basic number sequences you can use as strong of password as you want. While fail2ban is one solutions Engineer Tim prefers the AFP/BFD combo. Since things are now blowing up hardcore with several new scripts this past week, we are going to have to include one of the two solutions into trixbox CE.

That sounds great.
I just posted a comment like that in http://trixbox.org/forums/trixbox-forums/open-discussion/just-bit...

thanks a lot for addressing this threat

Not entirely sure but I had the impression APF/BFD were either no longer or at best poorly maintained where as fail2ban is well supported.

Okay I liked the idea above about a generate link so I threw something together that is open for use by any project:
http://files.jameswf.info/passtool.tar.gz

there is a small PHP script that generates 8 Character passwords using A-Z, a-z 0-9.

I have also included an AJAX example to put a "generate" link

Any project who wishes to use it feel free......

I licensed it under BSD2 so it is GPL compatible :)

**side note the ajax is not mine it is creatively plagiarized from w3schools and should be okay to use but its not mine....

Just a note that I had two systems get "hacked" by someone in the Netherlands making LD calls through my systems. I was using "1234" for passwords. No longer!

However, I think the UI of Trixbox needs to be secured. The FOP is just too easy to access. I've done it by dropping .htaccess files inside /var/www/html/admin and /var/www/html/panel, but not sure if that really is enough. There are real benefits of having the UI accessible over the internet, but it should be password-protected like maint is, so that they can't see your extensions, making hacking that much easier.

I ran the sv tools against my system internally and found they work fairly fast. The dictionary attack didn't find my password but a real good list might. I found all the failed password attempts in /var/log/asterisk. What was interesting to me, was the size of the log files were about the same from daily rotation and then the day I tried the sv tools, the log files mushroomed in size. Another interesting way to see unusual activity.

I guess a good solution would be something like my ftp server - after X failed attempts, add IP to block list. I'm looking at fail2ban this weekend.

If 1 extension on your system got hacked could they have possibly gotten your trunk providers login & password?

I like an idiot used the default passwords during testing (3 days) and someone hacked 1 extension for about 250 calls.

I made the maint password and extension passwords extremly strong, and have seen no activity since.

Is there any chance they could have stolen my trunk providers login and password and set this up on their machine?

Do I need to call my provider and have my passwords reset?

Also There is an unknown peer shown as registered? Do I need to do a clean install?

Sorry if this is off-topic, but I'm a newbie running a fully implemented Trixbox Pro system. I'm trying to correlate this topic to extension passwords in Trixbox pro. The only one's I know of are on the "Phones" screen and the userID and password is set by default to the MAC address of the phone.

Is this a similar risk by leaving these as such?

Thanks,
-Dan

In light of this security risk, is there a movement in Trixbox to move to FTP as the default configuration method rather than TFTP? Is there a way in the Trixbox GUI or otherwise to tell the endpoint configuration to use an FTP location for creation of the files rather than TFTPboot?

Thanks.

Jeff