Security: How to get your trixbox hacked in no time.

Thanks for this update. Fortunately most of these are locked down by default.

1. This is very important. Make sure you are using strong SIP passwords if you open this port. You should also limit the RTP ports used by Asterisk if you allow external access. There is lot's of info on voip-info.org on how to do this.

2. The manager interface is disabled for external access by default. If you enable it for external access by editing manager.conf make sure you limit you acccess to a set IP range.

3. Fortunately although there is a bug in memcached trixbox does not use the version with the bug that exposes information. Still if you have open access to your trixbox limit the port range as stated in part 1 to below port 11000 this will cut off external access to memcached. We are evaluatiting if memcached should be used on trixbox at all.

4. this port is locked from external access by default

5. this port is locked from external access by default

6. there is a password on the crucial data on the web interface. make sure to change this password and don't open this port unless you have too.

obeliks, seems like you know quite a bit about security. Please feel free to add a section to the wiki on how to secure your trixbox. We can add other information like this there. That section in your last linked post about how to move the rtp ports Asterisk uses is particularly useful.

I am sorry but stating bluntly an incorrect information does not make it true.
I might start to think you never installed 2.8.0.4 yourself.

Here is the list of open ports on 2.8.0.4 right after install, the list does not include ssh, http, ftp and ntp.

There are 18 ports wide open, including 8 ports opened by asterisk. Anybody can send packets to them.
For example, sending garbage to the manager port causes asterisk to start eating 100% CPU and dropping packets and registrations.

             COMMAND         USER  PORT
     1        xinetd         root UDP 69
     2       portmap          rpc TCP 111
     3       portmap          rpc UDP 111
     4     rpc.statd         root UDP 631
     5     rpc.statd         root UDP 634
     6     rpc.statd         root TCP 637
     7      asterisk     asterisk TCP 1720
     8      asterisk     asterisk TCP 2000
     9      asterisk     asterisk UDP 2727
    10        mysqld        mysql TCP 3306
    11     op_server     asterisk TCP 4445
    12      asterisk     asterisk UDP 4520
    13      asterisk     asterisk UDP 4569
    14      asterisk     asterisk UDP 5000
    15      asterisk     asterisk TCP 5038
    16      asterisk     asterisk UDP 5060
    17     memcached       nobody TCP 11211
    18     memcached       nobody UDP 11211

rrichiez,
you are asking basic questions which should be covered in networking 101.
Let me ask you this, which port do you need to open in order to get to google.com ?
I already posted a link about opening port 5060 in my first post in this thread, but for your convenience I will post it again:

http://fonality.com/trixbox/forums/trixbox-forums/open-discussion...

update: manual is available under ISBN 0201633469

Ftp allows you to upload files. Nice ;-)

Why do you think I am scanning anything ?

Do you not have your Apache server running? Why do I not see port 80 listening?

My phones all have open ports on them, do you complain to Cisco, Grandstream, Aastra etc about their devices having open ports? My TV has open ports, let's see what else do I see around here with open ports...my media server, NAS, set-top media player, Android phone, who knows how many devices have open ports on my network right now. The key is how to secure them from the outside. To me...trixbox is a phone system, not an edge device. Security to the network has to first and foremost be secured at the edge devices and work back through the network. Pointing out open ports that someone has to manually open in the firewall, hopefully by understanding the risks and mitigating and security issues while doing so, seems like nothing more than flame trolling to me.

I will repeat one of my most famous quotes on these forums in response to this statement:

"People smoke crack and have unprotected sex with hookers, doesn't make it safe"

All I can say is some small percentage use trixbox as a stepping stone to learning the power of Open Source Telephony. I am here for them.

When I started investigating OST trixbox was the hot ticket and if a distribution was not available I probably never would have even tried to learn Asterisk.

I also have no idea why Fonality can't see the value the Open Source brings to the brand and fund development.

Seems like someone has a menhir up their you-know-what.

I generally hold Obeliks opinion in high regard but, I'm not understanding his point in this thread. Yes, I agree that it is unnecessary and unwise, in many cases, to open ports on modern routers that allow all outbound traffic and related, established return traffic. But, to suggest that the server shouldn't have open ports is a bit extreme, even if people are going to be stupid and put the unprotected server on the internet.

The fact is that trixbox is an aggregation distribution that offers a long raft of services. You can't offer all those services on a network without having the ports open. Granted, there are some unnecessary open ports and the security posture could be improved. But, just like you can't put a Windows server or FreeBSD webserver on the internet without the protection of a firewall, you can't put a PBX server on the internet without firewall protection. This is especially the case with an all in one server like trixbox. trixbox can't close ports to SIP, HTTP/S, MySQL, FOP et al, these services are all essential to its proper operation. But, regardless of target user naiveté, I can't blame Fonality/trixbox for ignorant people putting an unprotected server on the internet.

But, this is the part that makes arguing over all this rather pointless. It's been months since Fonality released anything at all and signs presently point toward the end of trixbox. It's my opinion that Fonality has no further interest, if it ever did, in a free PBX offering such as trixbox CE.

Awesome! I'm always excited to learn a new word: menhir. How have I not heard that before?

Long time Asterisk fan, have followed and deployed A@H/FreePBX/Trixbox for years, first time (or so) poster.

Obeliks is right on the money with pretty much everything he's saying. The state of security of FreePBX, Asterisk itself, and Trixbox are all pretty shameful. It seems like there is no one tasked specifically with guiding the development of FreePBX/Trixbox in a secure way, or even doing the basic OWASP sort of pre-commit code reviews. There's no other explanation for things like how the authentication header includes just failed to make it into all the CDR admin scripts, as fixed by this patch that still hasn't made it into the mainline: http://www.freepbx.org/trac/changeset/10274/freepbx/trunk/amp_con...

And why *are* there so many ports open on a default Trixbox install? There's no good reason for it. As a systems administrator in the year 2011, I'd expect a mom & pop pizza shop to fire me if they asked me to build them a web server and what I handed back had memcached open to the world, rpc services running but not being used by anything, etc. The general guideline is "if leaving it on presents additional security risks that outweigh the benefits, turn it off". In the case of things like memcached, there's really only one right answer.

It seems even worse when the community's thought leaders say things like "The key is how to secure [the devices] from the outside". No! This is exactly precisely the wrong mentality that has led to all the lame SCADA flaws that have been making headlines lately. Defense in depth is a *key* concept, the weakest link breaks the chain and it's always that link the attackers seek out. Security is not something to worry about later, or something you can tack on in front of your device after you've built it, it has to be a weighty consideration from the design phase on forward through every step of the software life cycle, for every person who has a hand in the design. The Department of Homeland Security just started up a new initiative and website called "Build Security In" intended to educate developers about the "defense in depth" approach as well as aggregating a lot of good secure design and coding recommendations: https://buildsecurityin.us-cert.gov/bsi/home.html

I have an inkling about how boring, lame, and much ado about nothing so much of this sounds to the folks out there coming out of the TDM world where everything Just Worked(tm), key systems and the like, and not having much appreciation for the headaches of computer security. The reality is, though, that security is only going to become more important going forward and any product that wants to be a serious competitor in the VoIP space or any other is going to have to take it more seriously than we had gotten used to doing. And on the flip side, customers are going to start getting more upset and willing to blame developers and contractors when things get hacked.

Apologies to anyone at Fonality who feels like this is a bash... I don't intend to slam your hard work or seem unappreciative at the contributions you're making to the open source community. But the bottom line is that the ecosystem is not where it was a few years ago, security has moved to the forefront and Trixbox desperately needs some attention in that area. Happy to help in that regard if I can.

Scott, can I have some of what you are smoking ? And I am not saying this just because you mentioned SBC again which is a sure sign you are in the snake oil selling mode.

Let's look at some of the things you say:

What has Fonality done other than steal the FreePBX code, paint it green and then abandon the project?

This is a strange statement from somebody with a post count approaching 10,000.

topology hiding is a key to security in public SIP networks

how is this related to trixbox/asterisk/freepbx deployments ? Are you just showing off ? Do you expect asterisk users to deploy proxies/sbcs/etc ....?

PBX's are not designed to be exposed to the Internet and never should be.

LOL ;-) Can you show me an asterisk distro which blocks all incoming non-RFC1918 traffic by default and requires the user to go through a few hoops in order to allow remote extensions/remote administration from internet at large ?

Have you looked at the new FreePBX distro? It makes many strides forward in security and includes fail2ban.

Your imagination must be working overtime in order to make such a statement. The FreePBX distro is no better that Trixbox. Check this comment:
http://forums.digium.com/viewtopic.php?t=78054

Fail2ban will not prevent your extensions from being enumerated at will:
http://forums.digium.com/viewtopic.php?t=78538

Have FreePBX people figured out why are they using type=friend by default ?
http://forums.digium.com/viewtopic.php?t=78679

or the basic authentication:
http://www.freepbx.org/trac/ticket/5116

Perhaps this is a bit mean spirited but it is funny.

This is not mean spirited nor funny. I am quite serious about this. Do not let incoming connections from non-RFC1918 space of any kind except for RTP on a small range of ports. This way people could register with VSPs and have their trunks working, but the box could be placed safely on the internet. Only phones on RFC1918 network could register or access the web admin interface.

Certainly room for improvement always exists, to say it is no better than trix is a distortion of the facts

It is not a big distortion, the only difference between trixbox and the freepbx distro is the lack of the hidden admin - wwwadmin and fewer modules loaded.
The rest is the same garbage as usual.
There is also a new post on digium forums about fail2ban - how ineffective it really is: http://forums.digium.com/viewtopic.php?t=78988