Security problem

Discussion in '3CX Phone System - General' started by Lukas, Feb 18, 2011.

Thread Status:
Not open for further replies.
  1. Lukas

    Joined:
    Jan 23, 2011
    Messages:
    45
    Likes Received:
    0
    Hi! I have a small problem with the auto-generated provisioning XML files.

    Each time I save changes to an extension a new XML file is created in the TcxProvFiles. This wouldn't be a problem, except that those files contain the clear-text password of our extensions. Which still wouldn't be a problem, except that for a number of reasons which are beyond my control I can't put that machine behind a firewall.

    Now, I am sure everybody agrees that it is just a matter of time before an attacker gets those files. So I was wondering:

    is there a way to avoid the XML files being generated?

    OR

    is there a way to configure Abyss to only allow access to a predefined set of IP addresses?

    OR

    will 3CX mind if I schedule a script to kill those files ? A bit rough, but gets the job done, I guess.

    Thank you!!
     
  2. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    There isnt a way to stop them being generated but as far as I know they are only used if you use provisioning for your phones so you could delete them.

    The bigger issue is the firewall.

    I cant think of many, if any, reasons why it cannot be behind a firewall? As you are running Abyss it would appear to be on a PC and not a server. Why would a pc be open to the net with no firewall? And if a hacker does get in and past your password then it wont take long (xml files or not) for them to get into 3cx and get the information if they wanted to.

    If you have to have that PC open to the net for some other reason then take 3cx off it and put it behind a firewall.

    If you think you have to have it open because you have remote extensions, that is incorrect. Let us know and we can help with getting that set up.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Lukas

    Joined:
    Jan 23, 2011
    Messages:
    45
    Likes Received:
    0
    Dear Mark,

    as always you are incredibly helpful!

    The only reason for not having a firewall is that this is a Win 2008 server that we are renting from a hosting company (a dedicated machine, not a shared hosting). The server is only used for the PBX and a couple of secondary web sites, and the only reason for not having a hardware firewall is that the hosting company does not provide this service. :cry:

    The reason for choosing Abyss is that it was recommended in the setup guide in order to simplify matters and keep all the PBX stuff independent of outside components and under one hood (IIS would have been good for the fact that I can filter out IPs. Wonder if Abyss can do that as well).

    We started out with Windows Firewall, which was the obvious choice given the circumstance, but, besides not being the optimal choice in any case (the attacker can always turn it off, clearly), it was slowing down the hosted web sites, causing sporadic connection errors (which disappeared as soon as the firewall was turned off).

    What would you recommend?

    Thanks!!
     
  4. Lukas

    Joined:
    Jan 23, 2011
    Messages:
    45
    Likes Received:
    0
    By the way, I was wondering... even admitting that we play by the rules and only have internal extensions and no outside access to the web server... any employee could run a script to find out the XML filenames and get the passwords?? Sure, car thieves go to jail, but we all lock our cars, don't we?
     
  5. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    We are a hosting company too and have never heard of a worthwhile hosting company not having a firewall. Normally it is the opposite, they have one and wont open a port up for you. Even AWS has firewalls.

    My recommendation would be to switch hosting companies, but that is not always easy.

    Turn on IIS - it is much better than abyss, especially on Win 2k8

    You say you have a dedicated server. is it physical? If so can you run a Hyper V VM or XenServer on it? If you can then I can give you a virtual version of our security appliance which has firewall etc built in as well as intrusion prevention etc. We are about to launch these appliances with 3cx and the security appliance built in.

    To be honest, if you are that worried about someone getting into your system because it is vulnerable then I would change the system or its location/hosting.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,406
    Likes Received:
    81

    Lukas,

    How many tries would it take for a person to brute force this 12Digit Filename?
    3cxProv_110218103529_100.xml

    It's only a few trillion tries worth of attempts, and even if the attacker knows what's he's doing he can still only reduce that down to several Billion attempts.

    I really wouldn't worry about an attacker gaining access to any of those files, he cannot guess what the name of the file will be.
    Not something to really be worrying about.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Lukas

    Joined:
    Jan 23, 2011
    Messages:
    45
    Likes Received:
    0
    To Mark: thanks -- can't switch hosting company before the end of the contract, unfortunately, but will look into the virtualization possibility. Never thought about it, really. In any case, is there a document about switching from Abyss to IIS without uninstalling and reinstalling?

    Leonidas: I used to think about security the same way as you do, before I was explained that it is actually easier that it seems. In most cases, it will not be just one person making tries, but a pool of computers running scripts and targeting several servers at the same time. Sooner or later someone will fall. I don't know what kind of truth there is in this, as I am no security expert. I guess you have given thought to this and decided that the risk was acceptable. I trust your judgment!
     
  8. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,406
    Likes Received:
    81
    Ok here's how i see it.

    If someone wants to attack you from the "Internet" he can't just use more computers to make more requests.
    He can only use 1 PC simply because of the reason that 1 PC with a decent internet connection is probably enough to flood you. if he uses more PC's (botnet) he's gonna be basically flooding you so much that your internet won't be working.
    With this method it's gonna take him months of constantly attacking you to figure out what your provisioning filename is.

    Even with a PC on the local network of the PBX, this would take weeks to find out.

    My conclusion is that this is pretty safe, and that i've tried running similar scripts to try and exploit this but could not.
    It is possible to crack but it requires a hacker to be spamming you with requests for weeks something that you should not allow to happen.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    In answer to the first question - no you have to uninstall and reinstall, but that is a few minutes.

    Take a FULL backup of 3cx using their backup manager (check all the boxes for voicemail, prompts etc.) and save it to the disk.

    Then uninstall (a few minutes). Then reinstall a few minutes. Then once it has installed it will ask to do a clean set up or reconfigure from a backup. Do the restore using your backup. That is another few minutes and you will be running.

    Depending on the number of extensions and voicemails etc then it will take about 15 minutes from uninstall to working again.

    As for security. I wouldnt worry about the xml file being called up from a browser. A hacker is not going to spend all that time running scripts and exploits to discover what is in an xml file on a system. He would spend the time running known exploits to gain control of your computer to add to the pool.

    We spend a lot of time on security and the provisioning files are not high on our list.

    I understand your concern which is why we gave you some alternatives but honestly I wouldnt worry about it and if it is bothering you then i say get out of your contract early or write to your hosting getting them to rectify your concerns about lack of firewall at the gateway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Lukas

    Joined:
    Jan 23, 2011
    Messages:
    45
    Likes Received:
    0
    Thanks Mark and Leonidas for addressing my concerns. I think I'll redo the install with IIS, seems simple and quick and at least I can control who has access to the XML files by restricting the ranges of allowed IP to those of our remote extensions.

    Thanks again for your helpful input.
     
Thread Status:
Not open for further replies.