FreeBPX + Digitalocean security - how to harden, which firewall?

Here is a DO bit that expands somewhat , if you get ddos’d and they notice it, your machine is disabled, then some good practices . . .

https://docs.digitalocean.com/products/droplets/resources/ddos/?segment=11evbwc6s_amp_idYjJ3d3JKekJhdmF4QXRYOTJYWmc0aHZ0VGhCWjdwbnRxSHM4OGNhNkxHSnU1TmtTbXVGa3ZSRk9TaVU1THIzSg…&_gl=114468du*_ga*YjJ3d3JKekJhdmF4QXRYOTJYWmc0aHZ0VGhCWjdwbnRxSHM4OGNhNkxHSnU1TmtTbXVGa3ZSRk9TaVU1THIzSg…

Personally I suggest port and connection flooding rules in your iptables.

If I’m not mistaken, flooding rules only limit packets from individual IP addresses. So, if I impose a 5 packet per second rule and I’m hit with a DDoS attack from a million IP addresses, that’s still 5 million packets per second. So my machine gets disabled?? Can’t run my business that way. Wouldn’t a whitelist be a better solution?

You can write rules to Allow, deny, forward or limit by port, protocol, ip time of day etc.etc.

This

https://configserver.com/cp/csf.html

builds solid ip tables rules and can be used easily with other iptables rulesets

The iptables seem to have some issue on my install. It’s showing this
“iptables v1.4.21: invalid port/service `-j’ specified”

I’ve used iptables fine before but I’m not sure where this code is coming from that’s putting the wrong parameters, from the firewall module itself?

That’s certainly true. You could limit by port or protocol. But, if you write a rule to deny or limit by either of these, IPtables doesn’t discriminate between the DDoS attackers and your legitimate users. So the DDoS attack would bring down your SIP ports which means your users would be dead in the water along with the attackers. That, of course, is exactly the result the attackers want. So, I repeat, the only way to protect against DDoS attackers using IPtables without also bringing down your system for legit users is to use a whitelist of IP addresses. The only other approach that might work is to block IP address access to your server by everyone and only accept access via an obscure FQDN. Wouldn’t work for VoIP.ms, but it would be fine in most corporate PBX environments.

Your sip server will legitimately get a few connects a minute from each endpoint max, Look at the CSF rules for the how to build such a set of limiting filters (you are not limited to one) that accepts friends but notices ddos’s. But that is just a start . . .

As to your other ‘open’ services, which are likely the greater target of these latest exploit, you can certainly ‘pin-hole’ your sip providers if they insist on UDP/5060, deny TCP/5038 on your WAN side and indeed use obscure but certified domains and ports above the ‘low hanging ones’ for phone calls (SIP) and provisioning, I do that and rarely see untoward connections.

Personally I like to keep my main 443 site open to all for UCP users and I also allow FOP2 but only allow trusted users to the FPBX gui , using a proxy (ha-proxy in my case) you can drop ip based connections before they leak anything by setting a strict SNI policy (and it makes your cert management much easier as that is handled by the proxy, only http is passed to the servers.)

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.