VoipSwitch Security Audit

Transcription

1 VoipSwitch Security Audit Security audit was made at 1 st January 2013 (3.00 PM PM UTC +1) by John Doe who is Security Advisor at VoipSwitch Company. Server's IP address : Server has also assigned second IP address : Firewall Checking firewall status and rules regularity. Customer claimed that there is no external firewall before server. Windows Server Firewall was turned on and configured with standard VoipSwitch rules (there were rules added for proper running Voipswitch modules). One rule named Rule allows all incoming TCP traffic which is serious risk for server's safety. 2. Access Policy Checking all access ways to the server. Checking users/passwords policy. Server had two access ways : Remote Desktop Radmin software

2 Remote desktop : on standard port open in Windows Firewall for all IP addresses password was strong Radmin software on standard port not limited for IP in Radmin software open in Windows Firewall for all IP addresses password was weak (6 letters without numbers and special chars) Users policy: Only Administrator user had access with administrator's privileges and there weren't any other users with access privileges.

3 3. Backdoor check Checking most common backdoor on Windows based system. Image File Execution Options in Registry was clear. Sethc.exe file was original. There wasn't backdoor set. 4. Antivirus Scan Microsoft Security Essentials full scaning. Microsoft Security Essentials full scan didn't point any suspicious files.

4 5. Processes Checking all unsigned processes which may affect on server's safety. Processes checked with Micrososft Process Explorer tool. There weren't any suspicious processes running. 6. Services Checking all running services which may affect on server's safety. Except Voipswitch and Radmin Server services there were no additional services added. 7. Installed applications Checking all unwanted applications which may affect on server's safety. There werent any unwanted applications installed. 8. Task Scheduler Checking all scheduled tasks which may affect on server's safety. There was task which starts unauthorized powershell script at system's startup. Script was in d:\install directory. Named as hack.ps1

5 9. Autostart Checking all autostart entries. There were two applications which start with system: Microsoft Security Essentials client Cobian application These applications were authorized by customer.

6 10. Shared Files Checking all shared spaces available from external networks. On www server space there was zipped vsportal folder. It contained config files with database credentials. Listing directory was turned off, but anyone who guessed name of file, could download it.

7 There wasn't any FTP similar service. There were no other shared/public folders. 11.Database Checking databases users privileges, database port. MySQL server database was running on 3306 port. Port was closed in Windows Firewall. There is only root user available on localhost.

8 12. Access logs Checking availability of all access logs. List of all logged IP addresses (on request). RDP : Logs are available since 1 st Dec 2012 due size of log file. All connections were only from confirmed by client IP address. Radmin : Events log was turned off. There wasn't possibility of checking logs. 13.Security of VoipSwitch modules Checking versions, settings of VoipSwitch modules. Checking passwords strength of clients. Access password to VSC3 was weak (only 5 letters, without special characters). All other clients passwords are strong. All web modules versions was the latest and stable.

9 14. Open ports External TCP port scan of server. IP: Open ports : 80,110,135,143,403,443,1720,1800,1801,1804,1935,5060,7070,9090 IP: Open ports : 80,110,135,143,403,443,1720,1800,1801,1804,1935,5060,7070, Hacking incident (if exists) Investigation based on customer's informations/suspiscions. Client didn't provide any information about hacking incidents 16. Changes on server after audit (on request) Rule named 'Rule' was deleted in Windows Firewall. Radmin access password was changed Task named 'Hack' was deleted in Task Scheduler Zipped VSPortal was removed in wwwroot2 Quota for security logs was increased Radmin access logs was turned on VSC3 password was changed

10 Security Advices 1. Access Access port should be other than default. Default ports for example access services: Remote Desktop Services (3389) Radmin (4899) VNC (5900, 5800, 5500) Access should be limited to few IP addresses All remote support connections will be established from our VPN IP / Remote access should be limited on your firewall only to / and the switch owner IP address. 2. Users policy The best if after system installation (before VoipSwitch installation) you will create separate user account than Administrator. It helps fight with any scan attack or brute-force attack, because every server has Administrator account. You may use very strong password for Administrator account and create other account with administrator's privileges for all works on server (like installations, support works, etc.). Only you should know Administrator account password and no one else. Once for month you should check users list for any not authorized changes. 3. Passwords policy Make sure that your password is strong.

11 Strong means: has at least seven letters doesn't contain a name or dictionary wordis different from other/previous passwords contains characters from each of four groups: uppercase letters, lowercase letters, numbers, symbols on the keyboard except letters and numbers Password can't be longer than 127 characters. Password should be changed at least once for month. Do not provide logins or passwords in Tickets Comments and s. Change your access username/password once Voipswitch Support have completed their work and the ticket has been closed. 4. Updates Every system need to be updated, due new features or fixing old. Also in security, there are many updates which improve server's safety. All the latest updates should be installed. You should schedule restars of server if needed. 5. Firewall As your server has public IP address, everyone can check it on the Internet. Everyone can send ports scan or any brute force (to break your passwords) or flood attack (to block your network). Nowadays it's unacceptable to not use a firewall on the server. 6. Antivirus Application Every Windows based server has Internet Explorer browser. If you don't have installed the latest updates, browsing the Internet on server is pretty dangerous. Antivirus application will help check if any unauthorized software is on server (even by mistake). We recommend Microsoft Security Essentials application. Don't install any 3rd party applications if you are not sure that are safe.

12 7. Few advices for VPS modules. After fresh VoipSwitch installation process, change Admin password into VSM/VSC. Don't create users with passwords shorter than 6 characters. Remember that Wholesale Clients may be authorized not only by IP address and set strong password for them too. Check Logs window on VoipSwitch application - you will notice any unauthorized register or call attempts there.