Best Practice for Firewall on Hosted Server

I just opened an account with Vultr and set up a FreePBX 14 server with them. But I’m not sure what the best way to handle the firewall is. I have the ability of setting a firewall from the vultr side, and I obviously have the FreePBX firewall as well. I will be accessing the server from different locations, and I don’t want to get locked out of the server. Should I leave the vultr firewall open and exclusively use the built-in firewall. If so, how should I configure the built-in firewall? What about the responsive firewall, is this something that also integrates with port 80? I’ve read it’s not safe to leave the web portal open. I have a secure password on the admin web access though, should that be enough to ease my worries? What should I do?

1 Like

The more firewalls between you and the bad-guys is always a good thing.

BUT the vultr firewall ONLY allows basic network/port/protocol connections and if turned on denies the rest, not a bad thing but I believe limited to a hundred rules, so the catch22 is that if you don’t allow what you need, then you are hosed and if you use the standard VOIP ports then it will have little effect as that’s where the knuckle-draggers lurk.

JM2WAE

What do you think about allowing access to the web interface on a hosted server?

No problem, but add a layer of .htaccess perhaps and use fail2ban to watch the httpd logs against a failure.

Without 'web interface’s then no UCP, no Webrtc, not even provisioning over http(s) I first off add fail2ban’s apache-noscript and apache-nohome jails, they catch many drive-by probers quite efficiently

I’m experiencing something strange. By default, shouldn’t fail2ban protect the web access portal? Yet no matter how many times I authenticate incorrectly, I don’t get banned though I believe fail2ban is seeing the failed auth attempts.

I was wondering the same thing, Matthew. Maybe it can be configured if one purchases the Admin module?

It seems like Fail2Ban should be enabled to protect the GUI by default. Being a web facing page, I would think it likely to receive many targeted attack attempts.

@xrobau might be able to explain what is happening, assuming you are using the integrated firewall and the distro.

That’s the case for what I’m doing.

Firewall won’t block loving attempts. If you have the firewall setup with access to the web GUI it will allow the traffic through and won’t monitor it.

Fail2ban will monitor failed logins and block people but you need to setup fail2ban inside the sysadmin module of your PBX.

Is the paid sysadmin module required to set that up, in intrusion detection, I don’t see any settings that would cause fail2ban to block failed ips from the gui. I have all those settings as default, I believe.

I’ve got the paid version of sysadmin, but this is the only related setting I’ve spotted and it doesn’t seem to mention gui/http:

https://wiki.freepbx.org/plugins/servlet/mobile?contentId=27066420#content/view/27066420

I’ll have to do some experiments to see if I can get myself blocked, but I’m guessing we’re going to have to do some direct file editing for fail2ban.

Those are the settings that I have as well.

I’m just surprised this isn’t a more widespread problem. Shouldn’t fail2ban block failed attempt ips from accessing the gui by default?

They do block login attempts to the GUI. FreePBX doesn’t use by default Apache auth it uses it’s own auth and we log those attempts and fail2ban blocks based on failed logon to FreePBX GUI if you are using our FreePBX Distro with the Intrustion Detection in System Admin module.

1 Like

@tonyclewis I think another part of their question was if you needed the paid version of system admin to reap this functionality or is it built into both free and commercial modules the same.

I’m using the default distro and the intrusion detection settings in sys admin, but I just tried about 10 incorrect attempts on our gui, and didn’t get blocked.

It should block. It does for me. Just tested. Maybe post your fail2ban logs and the FreePBX security logs.

Fail2ban logs:

All I see here are AMI requests that appear to work most of the time. I can’t find the failed login attempts.

[2018-04-30 18:01:14] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:14.886+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d2c0150a0",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/50998",UsingPassword="0",SessionTV="2018-04-30T18:01:14.886+0000"
[2018-04-30 18:01:15] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:15.434+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d38792030",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51002",UsingPassword="0",SessionTV="2018-04-30T18:01:15.434+0000"
[2018-04-30 18:01:16] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:16.169+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d340054d0",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51006",UsingPassword="0",SessionTV="2018-04-30T18:01:16.169+0000"
[2018-04-30 18:01:16] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:16.858+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d40008e50",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51010",UsingPassword="0",SessionTV="2018-04-30T18:01:16.858+0000"
[2018-04-30 18:01:17] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:17.635+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d3c0088e0",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51014",UsingPassword="0",SessionTV="2018-04-30T18:01:17.635+0000"
[2018-04-30 18:01:17] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:17.865+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d44002170",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51018",UsingPassword="0",SessionTV="2018-04-30T18:01:17.865+0000"
[2018-04-30 18:01:17] SECURITY[2027] res_security_log.c: SecurityEvent="RequestBadFormat",EventTV="2018-04-30T18:01:17.944+0000",Severity="Error",Service="AMI",EventVersion="1",SessionID="0x7f5d44002170",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51018",RequestType="Action: DPMALicenseStatus",SessionTV="2018-04-30T18:01:17.865+0000",AccountID="admin"
[2018-04-30 18:01:19] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:19.172+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x1928b40",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51022",UsingPassword="0",SessionTV="2018-04-30T18:01:19.172+0000"
[2018-04-30 18:01:19] SECURITY[2027] res_security_log.c: SecurityEvent="RequestBadFormat",EventTV="2018-04-30T18:01:19.252+0000",Severity="Error",Service="AMI",EventVersion="1",SessionID="0x1928b40",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51022",RequestType="Action: DPMALicenseStatus",SessionTV="2018-04-30T18:01:19.172+0000",AccountID="admin"
[2018-04-30 18:01:19] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:19.535+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d240014c0",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51026",UsingPassword="0",SessionTV="2018-04-30T18:01:19.535+0000"
[2018-04-30 18:01:23] SECURITY[2027] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-04-30T18:01:23.604+0000",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x7f5d30003a70",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51030",UsingPassword="0",SessionTV="2018-04-30T18:01:23.604+0000"
[2018-04-30 18:01:23] SECURITY[2027] res_security_log.c: SecurityEvent="RequestBadFormat",EventTV="2018-04-30T18:01:23.695+0000",Severity="Error",Service="AMI",EventVersion="1",SessionID="0x7f5d30003a70",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/51030",RequestType="Action: DPMALicenseStatus",SessionTV="2018-04-30T18:01:23.604+0000",AccountID="admin"

Freepbx_security:

[2018-04-30 13:50:17] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:17] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:17] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:21] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:21] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:21] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:29] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:29] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:29] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:38] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:38] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:38] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:44] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:44] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:44] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:52] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:52] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:52] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:50:58] {"username":"admin","extdisplay":false}
[2018-04-30 13:50:58] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:50:58] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:51:04] {"username":"admin","extdisplay":false}
[2018-04-30 13:51:04] Authentication failure for admin from XX.XX.XXX.XXX
[2018-04-30 13:51:04] Possible proxy detected, forwarded headers foradmin set to
[2018-04-30 13:51:10] {"username":"admin","extdisplay":false}

I also find it strange that these appear to be at different times. Even though I grabbed them both at relatively similar times, albeit a few minutes apart due to the fact I couldn’t find anything important in the fail2ban logs.

Do these provide any insight, @tonyclewis?

Hi,
Personally I’m using Vultr and the default firewall and from Freepbx in fail2ban I change couples settings. To connect to the GUI interface is easy. Open Putty edit your etc/ssh/sshd.conf I always change ssh port to 222 for exemple. I also use my own ssh_keys. I remove password authentication. I create a new user and add to ssh.conf. also remove root user. when you done with sshd.config restart the services and open a new terminal to make sure you can log with your new user.
If you done that correctly you should be able to connect with your own username and ssh_key but not with Root.
And in putty you can run a localhost:5000 (hosted_ip_server:80) pointing to your actual hosted server and you reach to the login page of freePBX.
Let me know if someone have a better suggestion.
And all done.

This might be late but in case it appears in search. You could also run your own VPN and only allow the VPN IP to access the FreePBX server. I setup openVPN client on pfsense that connect to openVPN server on the cloud. Only IP of the openVPN server can access the FreePBX. I also installed openVPN client on devices such as cellphones and laptops.