A small business in Sydney contacted me to look at their Asterisks phone system, it had been compromised and a large amount of overseas phone calls had been made ($28000 worth), you can read more about it here http://www.linuxsupportsydney.com.au/security/.
Dealing with compromised systems 101 says restore from a known clean backup, that option was out, no backups. A reinstall, then, is the only smart thing to do, except we were constrained by money, so I did the best I could with locking down a system in an unknown state. Usually in these type of breaches they don’t bother gaining root and installing backdoors, they probably didn’t even get a shell on CentOS, it was weak phone account passwords that allowed them to register phones on Asterisk and make calls. You never know though, so I was and still am a little uncomfortable, but we make do with what we have available.
One of the first things I did was yum update, this brought in a lot of updates, including updates to Elastix and Asterisks, and it brought CentOS 5 up to the latest. I also re-installed a bunch of packages, so things like the netstat command would be refreshed, and ran for p in `rpm -qa`; do rpm –verify $p >>/tmp/v 2>&1 ; done. It’s better than nothing. If it was a sophisticated compromise those measures wouldn’t help.
Next job was firewalls, one on the CentOS box itself, restricting ssh as I wasn’t 100% sure there weren’t hidden accounts, there were none in /etc/passwd and /etc/shadow, but you can’t be 100% sure. I configured ssh to only allow root login, generally you do the opposite and disable root login, but it does one thing, Asterisk, and it’s only going to be looked at once in a blue moon if there is an issue. I restricted 5060 to only allow incoming new connections from the telephone company’s IP address and the LAN, and blocked access to the web ports from the internet. Elastix management is now done through ssh tunnels. I did the same sort of port blocking on the ADSL router.
Next was locking down Elastix/Asterisk, I restricted Asterisk so phones could only register from the LAN, I changed all the phones passwords to random strings, I disabled incoming calls from the internet except those from the phone company.
There are a few layers of security now, so it’s no longer low hanging fruit. One would have to be quite determined to break into it now, and there’s no point because there are 1000s of other Asterisks servers out on the internet in the default convenient but insecure configuration that the criminals will look elsewhere. I hope.