Just setup my new FreePBX distro virtual machine and everything seems to be working fine. I have lots of firewall-related experience but only with Debian-based systems and IPTABLES. What are common practices to lock down the fort? Any quick & dirty how-tos specific for the FreePBX distribution? Ideally I would like to allow incoming device connections based on MAC addresses, as my clients have dynamic IPs. Is that safe enough?
The “distro” has no specific firewall, but does have fail2ban that adds some iptables chains.
Given your experience, perhaps you should consider installing
Wheezy/Apache/PHPAsterisk/FreePBX/Dahdi on your virtualized machine , it’s in the WIKI here as to howto.
I personally use Debian and CSF for my FreePBI , CSF is a nice front end to iptables which can nicely envelop fail2ban.
The biggest thing apart from the normal ssh/apache2 stuff is to lock down SIP signalling on UDP/5060, (I suggest you change SIP to use another “not well known port” ) and of course use https:// rewriting on your apache2 server. Other ports to protect are TCP/5038 the asterisk AMI and 3306 for mysql if you use the distro there are other ports left open for third party services that are left open, netstat -aunt and lsof should expose those culprits.
Add rkhunter to the mix from the beginning and you have a solid Debian based starting point.
(I might add that iptables is not very good at filtering layer 3 traffic by mac addresses 
)
MAC addresses are layer 2 not layer 3. They don’t leave the local network segment. You can’t filter MAC addresses on a routed connection.
Let me open by saying you are responsible for your own security!!!
Ok that’sout of the way something I threw together https://gist.github.com/jfinstrom/21d7d83b79d57850deb1
If you’re an iptables guy this should land you in the right neighborhood. You can loosen or tighten as you see fit.
Nice work James!
I’ve actually had great success with CSF which basically helps you configure iptables. Through a lot of testing I’ve found what ports need to be open in the csf config file in order for everything to work…
Everyone tells you that you only need TCP 5060,5061 and UDP 10000-20000 open, but it’s a lot more than that depending on your deployment. Here is my TCP section of my CSF config pasted below. Also it helps to whitelist all the static IPs involved in your setup if possible. My config is a bit unique as I am building it using a VPS server in the cloud. So my firewall settings have to be a bit more strict.
TCP ports 5222, UDP 19302-19309 and TCP 19294 and UDP 19295
Those are all google voice/hangouts related ports. I haven’t exactly figured out and narrowed down which are required and which are not for google voice trunks as it is not really clear from all the research I’ve done.
UDP 5060 is actually required for SIP trunk registration so don’t forget that one. You’ll see that in my outdoing UDP config.
You’ll notice there is no port 80 or 443 open in the firewall for FreePBX config GUI. This is because this is handled by the IP whitelist file “csf.allow” in which I’ve whitelisted by OpenVPN servers which I operate solely.
I’ve also modified the .htaccess files in the /var/www/html directories and sub directories with deny directives, and added whitelisted IPs ( just in case )
###############################################################################
SECTION:IPv4 Port Settings
###############################################################################
Lists of ports in the following comma separated lists can be added using a
colon (e.g. 30000:35000).
Allow incoming TCP ports
TCP_IN = “21,22,5222,19305:19309,19294”
Allow outgoing TCP ports
TCP_OUT = “21,22,80,5060,5061,5222,19305:19309,19294”
Allow incoming UDP ports
UDP_IN = “53,10000:20000,19302:19309,19295”
Allow outgoing UDP ports
To allow outgoing traceroute add 33434:33523 to this list
UDP_OUT = “53,5060,10000:20000,19302:19309,19295”
Allow incoming PING
ICMP_IN = “1”
All of this works successfully with audio in and out, SIP registration, and full google voice trunks functionality.
I’m currently working on adding mod_security as well and country IP blocking. I don’t want to slow it down with snort or a antivirus, so I’ll stop there on the security
works beautifully even in conjunction with fail2ban using csfpre and csfpost
Yup there is a lot more to CSF than just configuring iptables. Check out their site… tons of features that help secure your server. It will block everything that you do not list in the config file so be careful before you set it active.
between the readme.txt file and the csf.conf file you will be much better informed as to how csf/lfd works and protects your system both with iptables and process watching, it also has a nice audit page that will help you solidify the normal lax setup of most distros as to ephemeral tmp storage, unnecessary and insecure processes running and lax server setups.
It is less able if used on some virtual kernels as they don’t support all the kernel based network hooks but there is app for that so you will know before trying.
Add that to normal security practice like changing well known ports for SIP and SSH and turning off password authentication for ssh, installing rkhunter and regularly inspecting your logfiles for anomalies (usually just a quick look at the file sizes in /var/log/* will trigger a clue as to what has changed) and most important when finished checking your work. There are several linux distros that are easy to set up and designed to check your system from the outside including sip vicious and all the other knuckle-dragger scripts out there.
Basically just thinking your system is protected is just sloppy and illogical thinking, actually test it and hopefully watch the emails from rkhunter and csf/lfd for warnings.
Thank you James Finstrom for the script, I was looking for a quick way to edit iptables. FYI, I was getting the error:
iptables v1.4.7: unknown option --dports' Tryiptables -h’ or ‘iptables --help’ for more information.
I fixed it by putting --match multiport before --dports/–sports. First time posting here and not sure if I can send you the modified script or to post it.
Thank you,
Steve