I have FreePBX installed on a Debian VPS host. I have made sure it’s fully updated, and added some basic extensions and tested them out - everything basically works.
However, I did have a hiccup while starting out. When initializing the FreePBX instance, I was asked if I wanted to setup and enable the Firewall. Seems like a good idea. Started the process, and then right as it was finishing up, I lose connection to my server, both the FreePBX web GUI, and my SSH session. I had to open up a console to the VPS on my host and muck about with fwconsole, fail2ban, iptables, etc to disable and clear everything. Got back in, and made sure the firewall and fail2ban functionality are disabled. Works fine now, but without any security.
When setting up the firewall, it did prompt to me to add myself to the whitelist, which I opted to. So I am unsure why/how I was still blocked.
Am I missing something? Is there some guidance on how to setup the firewall and fail2ban services without instantly kicking myself out?
Because of the way I have configured my VPS firewall (my home IP is the only one which can connect to the webconsole and SSH) and FreePBX (no anonymous inbound requests; no guests) and the fact that I have zero intention of connecting my network to any larger, public or paid networks, I don’t think my risk profile is terribly high, and I could probably get away without any integrated protection. But it would still make me feel better, and would like to figure this out just for my own personal knowledge.
Now you have console access, the only thing you need to run in future is fwconsole firewall stop, and use the GUI to configure it correctly. Connectivity > Firewall > Settings > Re-run Wizard:
Enable Responsive Firewall > No
Automatically configure Asterisk IP Settings > Yes
Interfaces > e.g. pbxeth0: Internet (Default Firewall)
Networks > Network/Host: IS.MY.PC.IP & Trusted (Excluded from Firewall).
Fail2Ban (Intrusion Detection) is separate and won’t be responsible if you can’t see your IP listed in IP’s that are currently banned. If it is, Unban it, ensure it is whitelisted and Restart Intrusion Detection.
Note: You should add /24, /16, /8 when adding partial IP addresses, like 192.268.1.0/24
The FreePBX firewall is simple and effective, but it can be a little temperamental to configure first time. Nothing that turn it off and on again won’t usually fix, but I suspect your “muck about” might have made things worse and you’ll now need to let the wizard do its thing.
You probably configured something wrong and the Firewall is just doing its job. Hey, at least it sort of works
Two reboots in quick succession will also keep the firewall from starting for five minutes.
Thanks! I stepped around in the CLI and actually took the time to unban my IP… I thought I was whitelisted and otherwise made sure that wouldn’t be an issue, but I guess I missed that. And then when I got kicked out, I was afraid to try it again before checking here if there were any major pitfalls I was missing.
This was my second time enabling the firewall and getting insta-kicked, so I was just paranoid at that point, but in hindsight, I think most likely I’d just failed to completely wipe away the ban I accidentally gave myself from the first attempt, when my endpoint was misconfigured and slamming the server with bad auth requests
Thanks for the tips and directions! Helped boost my confidence to dig in and try again. And the two reboots thing is definitely useful to know.
