vicidial.org

[mte2005]

he :s
my server goautodial is attacked from hackers from 2 weeks without stopping

i'm trying to secure the server with iptables
:s the problem that when i do my config in iptables and block all ip
after 5 or 10 min :s the hackers delete all my config and reset it to blanc
so I asks how they can do that, i'm changing my root password many time
can they have another user account for access?
if yes how can i detect it
can they have a script in the server or a trojan that help their to do this?
if yes how can i detect it ?
thanks you very match

[travian.ck]

Are you able to login to the terminal as root ?

Please make sure you change the default vicidial passwords:
1) terminal "root"; using passwd
does your webmin work?

2) mysql "root"; using mysqladmin -u root -p'oldpass' password 'newpass'

3) vtigercrm from its web portal

4) change passwords for vicidial web access login.

provide info:
4) paste your /etc/passwd
5) crontab file; crontab -l
6) your mysql user table db

this is for starters, so as to figure out the level of infiltration

you havent provided the criticality of your server, i suggest you shut it down for the time being.
If you have a router as default gateway, NAT your default ports,
mysql 3306, 21,22,23,80 n so on.
it would buy you sometime even though its not a remedy.

[mte2005]

:s i'm doing all this, and this is the same problem, after 1h i'm hacker again
i see that is other problem to solv in my security server,
help please

[mte2005]

up

[williamconley]

if you reinstall with Vicibox and close ALL the ports via the YAST firewall settings before you get hacked ... you should be good.

opensuse/yast has a fairly good "stock" firewall. after you set up you go to:

yast firewall

turn off all "allowed services"

then in "advanced" (still in allowed services) close ALL the ports (remove all entries, that closes them).

the JUST allow the IP addresses of the servers you actually want to communicate with.

if you back up your database first, you can even restore your database after and upgrade it to the latest version and continue to use it

[mte2005]

hi

it does not matter for the base, is a new installation
for Vicibox if i install it to my dedicated server from a KVM
all goes well but after rebooting to my HDD I have a problem
recognizing my NIC so that is for that i use goautodial,
if you have a solution for that problem for me i take it hapy
or a recent document for scratch installation, i do it to
the oldest in the web site have a dead link and more lost information

thanks you very match

[williamconley]

in that case, fresh install with a Whitelist Only IPTables scenario before you even hook it up to the internet. Then the ONLY people who can even SEE or interact with your server in any way must be on the white list. As long as you don't put any hackers on your white list (no ranges, single IPs only!), you're good.

Here's a sample (from OpenSuSE, but also works on Ubuntu nicely, should also work as the full iptables setup on CentOS):

Code: Select all

# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:120]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Mar 17 11:54:04 2011
# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*raw
:PREROUTING ACCEPT [25890911:4913156736]
:OUTPUT ACCEPT [25089250:4484603070]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Mar 17 11:54:04 2011


DO replace the "-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT" with white list ip addresses!!

[mte2005]

hi williamconley
thanks you for your response,
the probleme is that my instalation is in a dedicated server so if i use this list i risk to deny my acces to in the serveur
and i can't every time a have new user take his ip address ans add it to list
especially all our internet provider uses DHCP, so if user just restart the pc I should redo all the list :s imagine i have 100 or 200 user

[williamconley]

1) the first IP address you put in the list is YOURS to ensure permanent access.

2) We have a system allowing for addition of IP addresses with a simple web page.

3) We have a NEW system that allows a LOCKDOWN single page web to be the ONLY public facing access on port 81 with a "link required" filename (ie: if you don't know the name of the logon page, you'll never see anything ... if you use a port other than 81 you'll get a black hole, no response). After the agents log on via this web page, THEN they will have full access to the system.

We've just developed this system. Went live this morning, Beta testing this week.

It allows for a full reset of all dynamic IP addresses nightly. The only change for the agents is that they log in on a different page with their USER/PASS first (instead of their PHONE/PASS) and the PHONE/PASS is then prepopulated (because it was easy ).

We will also shortly be adding "phone ips" from the Admin->Phones table to be populated into the whitelist automatically, but this would really only be necessary if the phone were on a different IP from the user (we have a client who has this situation using WiMax in Miami).