vicidial.org

[williamconley]

For those of you who avoided ssh attacks so far by changing to another port (like 222 or 3322? LOL) instead of port 22 ...

From Slashdot member badger.foo who read an article by Peter Hansteen (aka: That grumpy BSD guy):

The inevitable brute force hackers have begun to port scan and no longer ignore non-standard ports. So if you have not checked your sshd logs recently, this would be a good time to search for Invalid user entries and fails. Depending on your log structure, of course. I am surprised it took this long, but it was inevitable.

[DruRoland]

DIsable password authentication. Avoid the whole mess and just disable password authentication.

It takes maybe 5 minutes to generate and install a key pair. Best 5 minutes you'll spend all week.

[williamconley]

Nope. They will still brute force, they'll just fail. And while they're doing it, your system will be slow/sluggish.

I like my whitelist only version.

But I thought I would warn others.

Remember that once the Hackers find out that there is a live machine there, they will log your IP and come back time and again with a new attack method. phpMyAdmin flaws, SIP account, anything and everything. White list: no chance to guess and they don't even know there is a server there.

So just like using an alternate port, you're getting away with it "for now", but eventually they Will Try Again.

[DomeDan]

For those who like reading slashdot comments: http://it.slashdot.org/story/13/02/16/2 ... high-ports
and for those who like to read the source of the discussion: http://bsdly.blogspot.ca/2013/02/theres ... ports.html

Setup a dedicated machine as firewall that handles all the traffic and requests from the internet, I did
and on that box I have ssh open on an non-standard port and disabled password login.
If you really need people connection to your box over internet then setup openVPN, I did
and used a non-standard port there too and the client can only talk to the vicidial server on the internal network.

This does not mean that you can ignore all other safety on the internal network,
there is many ways people can get access to the local network without even care about the firewall.

[ruben23]

@ williamconley

can you share how you do your whitelisting..somehow..would help others also.Thanks

[williamconley]

We still have to get one more sale before we can push it to the forum freely. (Accountant insists we recoup our investment before publishing it ...). However, if you assemble all the posts I've done on the topic in the past, it's not hard to complete.

But the "base" of it is to use yast to remove all firewall openings and then modify the iptables configuration files specific to OpenSuSE to close any extra open ports (113 ... and any others like ping!). After that, without installing our software, you add an authorized IP address by "yast firewall" and adding custom entries. Each entry can be a single IP or an IP range. Each entry must be made for TCP and for UDP where applicable in this interface.

Up to this point, no special software is required as this is merely the way IPtables security is set up in OpenSuSE.

The addition of our software allows an easy web interface to add IPs (no ssh access required) and a special link for "away missions" (so you can send that special link to remotely operating agents who IP changes regularly, as well as keeping a copy of it in your iPad for access at Starbucks or McDonald's).

[ZoVoS]

=\ just let established/related connections in on line one and only allow inbound from the voip provider and local network? let all traffic out?

This should sort issues with NTP servers etc as the server establishes its own connection.

or at-least something to that effect. its quite different when you host servers in the cloud.

[williamconley]

Agree absolutely with "whitelist IPs only". and opensuse already has a method to allow established connections.

but what about remote agents? and the owner on his iPad at Starbucks? (Can't really tell her she cant look at the Real Time Screen while sipping her Latte ...

So an easy whitelist solution is quite handy.

[DomeDan]

Or OpenVPN to prevent someone at the coffee shop to simply catch her username and password in the air,
or are you using https for the "special link"?

and yeah, I've setup OpenVPN on a ipad here.

[williamconley]

To date no one has requested https for the Special Link. But obviously can be added easily. Next upgrade

So far, no one has even almost attempted accessing one of these boxes once whitelist is active.