FreePBX | Register | Issues | Wiki | Portal | Support

FreePBX Firewall Thread! (2nd Post has status)

firewall
Tags: #<Tag:0x00007fef79f435d8>

(Rob Thomas) #1

##Security Issue
Versions prior to 13.0.3 were vulnerable to an issue with the custom port range not being correctly validated, and it was possible for an attacker who had webuser privileges to gain root privileges. This was fixed in 13.0.3, and is now available for automatic upgrades.


This (first) post is out of date

This post was written before any of Firewall was working, but is left here for historical interest. The second post has the current status.


For those coming in late, read this thread:

As it was getting a bit long, I thought I’d start a new thread, and update everyone on what’s been happening!

It’s been moving up and down my priority list - as you can see from the commits - but it’s almost at a point where I’m looking for people to actually test it, for real!

The requirements are:

  • You need to be running FreePBX 13
  • You need to be running a CentOS 6 based Distro (I’ll post more about C7 and firewalld shortly)
  • You need to have the Sysadmin RPM package installed.

The Sysadmin RPM package is used to enable limited privilege escalation. I’ll probably redo it so it uses something slightly more portable as I get it working on Debian/Ubuntu and other distros (or someone else can, this is all open source, go wild! Pull requests welcome!)

But, for the moment, this means that if you don’t want to put a bunch of extra work in, a recent FreePBX Distro machine will be the easiest thing for you to test on.

If you’re feeling enthusiastic about testing, please either ping me on IRC (join the #freepbx channel on freenode, and type ‘X-Rob’ or ‘xrobau’, and that’ll attract my attention), or, send me a PM here, or just reply to this thread.

I’m also interested in anyone who has any scripts or things like that to actually ATTACK a SIP server, as I want to do some active testing too. I’ll also be exposing a couple of unfiltered machines to the internet (and publishing their details here) for random attacks, if anyone wants to have a go.

The downside is, I’m off at a Vintage Moto Trials event this weekend, so whilst I will have internet access, I won’t have much of a development environment if everything breaks. You may end up with nothing to play with this weekend! :sunglasses: (Edit: It was awesome)

So. Who’s interested?!


Module Update: You have 1 tampered files
(Rob Thomas) #2

##Security Issue

Versions prior to 13.0.3 were vulnerable to an issue with the custom port range not being correctly validated, and it was possible for an attacker who had webuser privileges to gain root privileges. This was fixed in 13.0.3, and is now available for automatic upgrades.


Current state of the module

Firewall is now deemed stable. This means that it’s now being switched to an active/beta development track. New features will be added to Beta, and then when they’re bug-free, will be moved to the release track.

The third post (the one below this) will be kept up to date as much as possible.

Systems

This is only working on RHEL 6-based machines, with the sysadmin-rpm package installed, at the moment. This means that this is limited to FreePBX Distro, AsteriskNow, PIAF(? I think they have syadmin-rpm?), etc.

C7, Debian, Ubuntu, etc, are 100% not working, and are going to entail a significant amount of work. There is no ETA, sorry.

Documentation

Documentation for this module is contained in the FreePBX Wiki. As this is a reasonably complex module, please read and comment on what it’s missing, or what is unclear!

Known Bugs

  • Fail2Ban can intercept and inject itself ABOVE the firewall. This needs work.
  • /tmp/firewall.log now captures all logging and errors correctly. If you get an alert that the firewall process is not running, please paste the last few lines of that file into your error report!

Tasks Remaining (Last update 2015-11-12)

(This is in rough order of priority)

  • Figure out what to do about fail2ban being overly enthusiastic
  • Add a new zone, ‘Registered’, rather than just allowing them UCP access
  • Bonus awesome idea: Integrate into User Manager, so you can let ext 1234 have ssh, ucp, and admin access, but ext 1235 only have ucp
  • Remove requirement on sysadmin-rpm
  • This is a low priority, because this means that support for everything ELSE (firewalld, ufw, etc) needs to be complete. Sorry. Feel free to submit pull requests, I care, honestly.

OS Status

CentOS 6:

This is the primary development environment. If you wish to do development, it’s strongly suggested you start with a CentOS 6 based FreePBX machine (Such as FreePBX Distro, or Asterisk Now).

CentOS 7:

This is the next target, and will be made part of the new FreePBX Distro CentOS 7-based release, which is expected to be out of beta before the middle of 2016.

Ubuntu and Debian

Low priority. Estimated after CentOS 7 is released.

The cause of the delay is there is, currently, no secure way of doing privilege escalation on the Non-Distro machines. Explanations of why this is hard is in this post.


A challenge to all FreePBX based Distros
Access PBX from outside
(Rob Thomas) #3

Current Stable Version - 13.0.11
Current test Version - 13.0.12.1

Recent Changes

This is only a summary of changes in each release. You can view the commits on GitHub, and there is also more information in Module Admin.

  • 12 Fine tuning of Safemode
  • 11 Better chan_sip detection, make an educated guess about kernel hz if I have to
  • 10 Bunch of TODOs, and don’t try to install if sysadmin.rpm isn’t present
  • 9 Made it a bit more self-healing. If it sees things are broken, it’ll flush and rebuild the rules. (First Stable release)
  • 8 Bugfix
  • 7 Give a 5 minute leeway before actually starting the firewall after a reboot, to give people a chance to un-break a broken system
  • 6.1 Be more patient on slower machines.
  • 6 Startup Fixes
  • 4 and 5, Minor bugfixes
  • 3.0 Critical security vulnerability discovered and reported via @0x00string on twitter.
  • There’s also some other minor fixes, that have been reported while I’m at Astricon. Still one outstanding bug that I’m aware of (See previous post)
  • 2.0 The first real release!

This is now part of the Mirror network, and is visible to all machines running FreePBX 13. Note that there is STILL a limitation of sysadmin-rpm, so it won’t work on non-Distro machines for the moment. See the first post in this thread.


(Rob Thomas) #4

Well, no-one said that it ate their system over the weekend, so I’m going to stick this into the online module repository today or tomorrow some time, so I can expose it for a bit more testing.

Anyone have any feedback so far?


(Neil Townsend) #5

No feedback, but just to say that when it becomes available for Debian I’ll be happy to give it a go and feedback.


(Rob Thomas) #6

It’s now available in the module repository for everyone running FreePBX 13.

Note that it’s still explicitly allowing port 22 through, no matter what you do.


(Neil Townsend) #7

When attempting to enable:

Although it does then think it is enables, until you attempt to configure zones, and then the same error.


(Rob Thomas) #8

I don’t know how you managed to do it, but I can’t read any of that 8-\

Can you copy and paste the text, or, post the image on imgur.com or something?


(Neil Townsend) #9

Perhaps better:

Text on RHS:

Exception
HELP
Sysadmin RPM not up to date
/var/www/html/admin/modules/firewall/Firewall.class.php
return array();
}

// Run a sysadmin-managed root hook.
public function runHook($hookname,$params = false) {
	// Runs a new style Syadmin hook
	if (!file_exists("/etc/incron.d/sysadmin")) {
		throw new \Exception("Sysadmin RPM not up to date");
	}

Text on LHS:

  1. Exception
    /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php36
  2. FreePBX\modules\Firewall runHook
    /­var/­www/­html/­admin/­modules/­firewall/­drivers/­Iptables.class.php669
  3. FreePBX\modules\Firewall\Drivers\Iptables getCurrentIptables
    /­var/­www/­html/­admin/­modules/­firewall/­drivers/­Iptables.class.php29
  4. FreePBX\modules\Firewall\Drivers\Iptables getZonesDetails
    /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php317
  5. FreePBX\modules\Firewall getSystemZones
    /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php285
  6. FreePBX\modules\Firewall getZone
    /­var/­www/­html/­admin/­modules/­firewall/­views/­page.zones.php61
  7. include
    /­var/­www/­html/­admin/­libraries/­view.functions.php205
  8. load_view
    /­var/­www/­html/­admin/­modules/­firewall/­Firewall.class.php111
  9. FreePBX\modules\Firewall showPage
    /­var/­www/­html/­admin/­modules/­firewall/­page.firewall.php21
  10. include
    /­var/­www/­html/­admin/­config.php539

(Rob Thomas) #10

Yep, that’s spot on. Any recent sysadmin RPMs have added that file (/etc/incron.d/sysadmin) … you should be on build 40 or thereabouts.

(But, if you’re trying to get this to work on Debian, which doesn’t HAVE a sysadmin rpm, that’s where the problem is)


(Matthew B) #11

Would you characterize this in alpha or beta state?


(Rob Thomas) #12

Very early beta. It doesn’t actively go out of your way to destroy your system, but it’s possible that you may lock yourself out. And it also, explicitly, does not firewall port 22, just in case you click something wrong.

If you think it’s doing something wrong, or if something is confusing, please tell me!

Feature requests are welcome, too :sunglasses:

You can also grab me on IRC and ask questions and make suggestions there, too, but if we try to keep it in this thread, they won’t get lost.


(Matthew B) #13

OK, I bit the bullet, and it bit back.

First thing I noticed. When I went to Intrusion Detection from Admin, I wanted to copy all of the banned IPs just to be safe. I may of wanted the option of specifying specific IPs from there into the firewall. But alas, they were all gone. For me that is strange not having banned IPs in there, ha!

Then, I went to configure the firewall, and ran into an Exception, by using the copy function next to the help button there, I can paste this in. If you want a screen shot, I can send that too. Here is the text for now:

Exception thrown with message “Hook firewall doesn’t exist”

Exception thrown with message “Hook firewall doesn’t exist”

Stacktrace:
#4 Exception in /var/www/html/admin/modules/firewall/Firewall.class.php:46
#3 FreePBX\modules\Firewall:runHook in /var/www/html/admin/modules/firewall/Firewall.class.php:169
#2 FreePBX\modules\Firewall:doConfigPageInit in /var/www/html/admin/libraries/BMO/GuiHooks.class.php:290
#1 FreePBX\GuiHooks:doBMOConfigPage in /var/www/html/admin/libraries/BMO/GuiHooks.class.php:252
#0 FreePBX\GuiHooks:doConfigPageInits in /var/www/html/admin/config.php:340

(Rob Thomas) #14

Whoops. I forgot to update the top post. Check Module Admin -> Online. You should be running firewall 13.0.1.5.

Sorry :sunglasses:


(Matthew B) #15

Success!

Any suggestions? I am going to dive in…already added host network to the firewall so I don’t fat finger it. Nice feature there.


(Rob Thomas) #16

Well, turn on ‘Responsive’ and then make sure stuff is getting filtered properly. Obviously handy if you have a machine on a public address. Do an ‘iptables-save’ and you should see all the IP addresses of your trunks and registered devices automatically update as they register and deregister.

And if there’s anything that doesn’t seem right, tell me :sunglasses:


(Matthew B) #17

Adding #2: Yes, enabled Responsive. Looks good. Have machine with dynamic public IP.

Adding #1: Yes, I got too punchy and disabled External for SIP. Did not registered with my SIP provider. Punched External for SIP, and within seconds, my SIP trunk registered with the provider. Excellent.

Holy Moses. Push-button happiness here. So easy, a cave man can do this.


(Rob Thomas) #18

With SIP disabled on the external interface, it should still allow you to register, because your trunk is a known entity.

Can you try turning off SIP on External (you don’t need Responsive on, for that), waiting 60 seconds, and then do an ‘iptables-save’? Your SIP provider should appear in the ‘fpbxsmarthosts’ table:

(This is Faktortel, an Australian provider)

-A fpbxsmarthosts -s 202.43.66.1/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsmarthosts -s 202.43.66.4/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsmarthosts -s 202.43.66.2/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsmarthosts -s 202.43.66.5/32 -m mark --mark 0x1/0x1 -j ACCEPT
-A fpbxsmarthosts -s 202.43.66.3/32 -m mark --mark 0x1/0x1 -j ACCEPT


(Matthew B) #19

SIP off for External - Done
Responsive turned off - Done
Wait 60 seconds - Done
iptables-save - There are no entries for fpbxsmarthosts except at the beginning :fpbxsmarthosts - [0:0]


(Rob Thomas) #20

Is the firewall service running?

You should have a collection of processess that look something like this:

[root@ipv6 firewall]# ps auxww | grep firewall
root 30760 0.6 0.3 323520 14364 pts/0 S 04:31 0:00 /usr/bin/php /usr/bin/sysadmin_manager firewall.firewall
root 30762 0.0 0.0 106060 1252 pts/0 S 04:31 0:00 sh -c /var/www/html/admin/modules/firewall/hooks/firewall &> /tmp/log
root 30763 1.0 0.4 325972 15896 pts/0 S 04:31 0:00 php /var/www/html/admin/modules/firewall/hooks/firewall
root 30784 0.0 0.0 103244 840 pts/0 S+ 04:32 0:00 grep firewall
[root@ipv6 firewall]#

Your’s won’t be the same, but you should have at least the process that looks like this:

php /var/www/html/admin/modules/firewall/hooks/firewall