Providing a commonly accepted Firewall above and beyond trivial.
FAil2ban don’t cut it, very simple iptables rules neither.
How about agreeing on a robust open source unencumbered solution?
I suggest CSF, it is open source and unencumbered to anyone not commercially deploying it (I’m sure a financial agreement could be made with them for commercial enterprises) , I’m sure others have other preferences.
Elastix has a basic one as does PIAF, but neither are effective against today’s threats. (Sangoma does notably not have anything ! )
The convenience would be that:-
A) you have a firewall
If someone would host a “Blacklist” , yes @wardmundy you are prime for that
We would all benefit by passing vectors to “the Blacklist” in a scripted fashion (see the CSF/LFD cluster concept for ideas)
Someone clever could weight , arbitrate and publish the threats as they evolve.
CSF actually has a pretty restrictive license and doesnt allow independent distribution of their software. As of my last discussion with them, they do not have the resources for partnerships. Their core dev team is focused on their software. This is not saying it cant be easily installed, we just cannot distribute it as this would violate their terms and licensing.
That has nothing to do with what I said. Not even “free” users are able to distribute CentOS/Redhat distros with ANY software on them without changing branding. If you will kindly glance at PIAF you will see that even they stopped distributing CentOS & variants.
Thank you James, Exactly!! But please actually read their license, there is no mention of copyright anywhere apart from that it remains with the author.
It takes 5 minutes to install, maybe a little longer to actually RTFM
Any bootable linux machine without a fully functional firewall immediately in place is as effective as a fish without a lasso to catch those dudes.
I understand you guys have your hands self tied, maybe you guys then just need to support/endorse an opensource firewall that can be deployed outside your closed system without compromise to your licenses, (obviously not endorsing any end-users abuse of such licenses) which would fill the obvious gap in your distro.
3.1.1 modify, adapt, merge, translate, decompile,
disassemble, or reverse engineer the Product, except as
permitted by law; or
3.1.2 sell, assign, rent, sub-license, loan, mortgage,
charge or otherwise deal in any way in the Product or
Documentation or any interest in them except as expressly
provided in this Licence.
-#1 If you run a hosted PBX explicitly accepting traffic from 0/0 with all (needed) ports exposed to The 'Net, you need one, no doubt 'bout that. But then you’re probably a weathered admin who knows what you are doing.
-#2 If you run an in-house private voip intranet, meaning you have an Internet Gateway with Firewall already, above the PBX, with rules to allow only to/from the trunk providers’ IPs, i’d say, it’s probably debatable whether you need more than fail2ban on the PBX itself, as your Internet Gateway already does firewalling for you. My Fail2Ban runs like that since deployment, have not seen an IP from the wild outside banned yet.
-#3 Do you need one, if you, say, allow your ‘roadrunners’ to the private voip intranet in case #2, through a dedicated tunnel(s) ? That is, you already punched a hole through the Gateway Firewall to let traffic into the TUNnel server… Do you need more firewalls ? Possibly, but not the same kind as case #1.
-#4 variations of the kind ‘i have public ipv6/ipv4 voip-only (and also not-voip-exclusive, hey people have softphones on their PCs) subnet in my house’ network are also possible.
So a guidance into each case would probably be welcome, but I can’t see how any ‘standard’ firewall can cater for all of that at the same time.
Well said. Really if you are using cookie cutter security you have already lost the war. Here is the thing about “packaging security” the bad guys have the package and know your battle plan. People should be vigilant and manage their security as appropriate for their situation. Some folks should probably hire someone to do this for them. The best route for these things is to give guides, tutorials and howto’s If you are an expert in a certain subject matter feel free to write a guide. I don’t know if users can, but I know admins can make a post like a wiki so it can be collaborative.
Remember all security measures should be considered YMMV. What works for one may not be ideal for another. Janice’s Bakery and tire shop doesn’t need the same security footprint as the pentagon.
These are the IP addresses (good and possibly bad) that go though your current implementation of iptables, and surely ANY use of iptables counts as a “firewall” even fail2ban.
There is nothing “cookie cutter” about iptables in general nor CSF specifically. You all have it working, It is up to you to build an effective set of rules. And I’m pretty sure that ALL “security measures” you might care to deploy will ultimately rely on your implementation of iptables.
I am suggesting that it would be good practice to make sure that all the issue of the above suggested command ONLY includes your “known hosts” or acceptable use of your mailserver/webserver/provisioning/etc.
My guess is that almost everyone will have something in that issue that would lead her to question security on that machine.
Without doubt the badguys already have the FreePBX “battleplan” and it’s not based on SIP alone
Talking of “cookie-cutter” solutions, just for a grin I spun up a brand new copy of FreePBX stable (Asterisk 13) a couple of hours ago, It was on an as yet unused public IP address,I updated using Yum and then I rebooted. As of 18:49 PST the fail2ban regexes do not capture pjsip login fails .
[2015-06-10 18:48:25] NOTICE[4338] res_pjsip/pjsip_distributor.c: Request from '"2000" <sip:[email protected]>' failed for '62.210.211.233:5068' (callid: [email protected]) - No matching endpoint found
As you can see an iptables without connection limiting,port flooding and port-scanning protection still leaves you exposed.
These are the particular “bad guys”
5.152.222.48/29 # RIPE GB RSDEDI-DJNIPIAM Dedicated Server Hosting
62.210.128.0/17 # RIPE FR IE-POOL-BUSINESS-HOSTING IP Pool for Iliad-Entreprises Business Hosting Customers
107.150.32.0/19 # ARIN US DSV4-8 DataShack, LC
199.19.104.0/21 # ARIN US VOLUMEDRIVE VolumeDrive
The same old guys . . . in only a couple of hours.
Interesting.
As you respun the system from scratch, I know it /might/ not be practical, but maybe some wireshark-like solution would tell you, whether the box is trying / or in fact sending / packets to IP’s not associated with the FreePBX project ? The dest addresses may NOT actually be the ones you’ve listed, i.e. maybe it’s just letting some ‘listeners’ know of its address, and then the ones you’ve listed are getting a hang of it and start flooding/querying?
(To expand a bit on that : long time ago there was /a/ program (maybe PINE, but not sure now) that, upon first start, asked for permission to send a SINGLE UDP PACKET to a pre-programmed destination (of course, shown to user), for statistical purposes… This was only done when user agreed though. Times have changed, methods of programming / gathering feedback have evolved… but techniques might have not exactly ?.. Just stabbing in the dark, hope this makes sense)
Not necessary, that is expected traffic to udp:5060 if you do not have a functional firewall. The same will be noticed on a forward facing open tcp:5038 as this instance has it:-
/var/log/asterisk/full:[2015-06-11 04:13:00] NOTICE[19995] 190.82.103.29 tried to authenticate with nonexistent user ‘test’
/var/log/asterisk/full:[2015-06-11 04:13:00] NOTICE[19995] 190.82.103.29 failed to authenticate as ‘test’
/var/log/asterisk/full:[2015-06-11 05:29:29] NOTICE[22065] 190.82.103.29 tried to authenticate with nonexistent user ‘panel’
/var/log/asterisk/full:[2015-06-11 05:29:29] NOTICE[22065] 190.82.103.29 failed to authenticate as ‘panel’
/var/log/asterisk/full:[2015-06-11 06:45:58] NOTICE[24085] 190.82.103.29 tried to authenticate with nonexistent user ‘munin’
/var/log/asterisk/full:[2015-06-11 06:45:58] NOTICE[24085] 190.82.103.29 failed to authenticate as ‘munin’
/var/log/asterisk/full:[2015-06-11 08:02:32] NOTICE[26116] 190.82.103.29 tried to authenticate with nonexistent user ‘outcall’
/var/log/asterisk/full:[2015-06-11 08:02:32] NOTICE[26116] 190.82.103.29 failed to authenticate as ‘outcall’
/var/log/asterisk/full:[2015-06-11 09:19:04] NOTICE[28084] 190.82.103.29 tried to authenticate with nonexistent user ‘hudpro’
/var/log/asterisk/full:[2015-06-11 09:19:04] NOTICE[28084] 190.82.103.29 failed to authenticate as ‘hudpro’
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 19:19:56] NOTICE[5251] 190.82.103.29 tried to authenticate with nonexistent user ‘phpagi’
/var/log/asterisk/full-20150611:[2015-06-10 19:19:56] NOTICE[5251] 190.82.103.29 failed to authenticate as ‘phpagi’
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 21:51:59] NOTICE[9319] 190.82.103.29 tried to authenticate with nonexistent user ‘cron’
/var/log/asterisk/full-20150611:[2015-06-10 21:51:59] NOTICE[9319] 190.82.103.29 failed to authenticate as ‘cron’
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 02:56:48] NOTICE[17582] 190.82.103.29 tried to authenticate with nonexistent user ‘dialer’
/var/log/asterisk/full-20150611:[2015-06-11 02:56:48] NOTICE[17582] 190.82.103.29 failed to authenticate as ‘dialer’
I don’t mean to be a pain, but did you create a ticket about that? I was just randomly browsing through the forum, and I see a critical security issue, and no ticket?
I started this thread hopefully to start a conversation about firewalls/adequate iptables rules for FreePBX per se , not to criticize any particular distro or implementation. I personally don’t use the distro.
It has a lot more jails and is faster with pynotify and all and again only IMHO lots of very pertinent jails like postfix apache-nohome, apache-noscript,apache-modsecurity,webmin jails, which are more appropriate for my systems.