FreePBX Firewall Thread! (2nd Post has status)

firewall
Tags: #<Tag:0x00007fafca086bd8>

(Rob Thomas) #59

Here’s a snapshot of the status page I’m working on. It’s extremely unfinished, but it’s my Daughter’s 10th birthday tomorrow, so I kinda have to actually go off and be a daddy :sunglasses:

Edit: Poo. Just noticed ‘UNFLITERED’ there. Whoops.


#60

Confirmed the SSH port issue is fixed. Changed the port to something other than 22 and the was able to get access via SSH. Looked in the /tmp/firewall.log and could see it was added into the new rules.

The notice on the Port/Service Maps tab was a little confusing at first - but the message stating it was expected helps.

Also the latest update seems to be keeping settings properly. It appeared to me that the Interfaces and Networks settings weren’t being retained - went back into those settings after going to Dashboard, and they didn’t seems to be keeping them as I set them. I wasn’t sure if it was something I was doing, so by the time I got back to further testing you already had a new update out.

Regarding not able to add a host - I attempted to allow a hostname as a trusted network as I thought that was something that the firewall would allow. Clicked Zones > Networks then tried to add a hostname, but it was expecting an IP address only. You did mention in an earlier post

Other than that, your project is coming along very nicely - thanks for the effort!


(Rob Thomas) #61

This is pretty much the last of the ‘critical’ features that I thought it needed. I’ve pushed out release 13.0.1.17 which is almost ready.

On the ‘Blocked Hosts’ tab, it shows you who’s rate limited, and also gives you the ability to remove an IP address that’s been deemed as an attacker.
This is what it looks like when no-one’s being naughty, or - more likely - the firewall service has just restarted (it will preserve logs in the future, but, while it’s in testing, I’m clobbering everything when it restarts)


I deliberately misconfigured a phone with an incorrect password. It’s not retrying fast enough to trigger the rate limiting (which I also have fine tuned a little bit, more on that explained on the wiki), but this is a good test of a slow attack.
After it’s tried 49 times (50 is the magic trigger number), it gets deemed to be up to no good, and sent off to the naughty corner.

Clicking on the ‘X’ removes all history for that client, so it’s like they’re brand new.


(Neil Townsend) #62

From post 2:

I’ve found it a bit hard to find a clear list of what functionality sysadmin-rpm provides. The rpm I found (sysadmin-2.6.1-158_centos5.noarch.rpm) didn’t seem to contain /usr/lib/sysadmin/includes.php, which is included by a number of the files in the firewall module, so I’m not even sure I’ve got the right one.

Looking through the firewall code, it seems that it uses checkSig (how is the signature checked?) a lot, is that it? What else does it use, and where might I look for how to replace the functionality?


(Andrew Nagy) #63

That comes from the sysadmin module.

You should just use the Distro. Stop trying to muck around with getting non-supported distros to work


(Rob Thomas) #64

It provides an abstracted database and signature verification layer, basically. We’ve had a good chat about this on IRC, but, the PROBLEM that it does its best to solve it this:

  1. I am webuser.
  • I can only write files as webuser.
  • These files want to do stuff as root, and should be allowed to do so.
  • But if an attacker is in as webuser, they should NOT be able to do stuff as root.

There’s a big chunk of privilege checking code in it, as well as a secondary db abstraction layer, and multiple integrity checks of itself, too. A reasonable chunk of it has been reimplemented in the validation class in hooks, but I got to a chicken-and-the-egg situation where it got too hard.

I have a list of stuff on my plate, and I do want to get to it, but it’s not going to be in the near future – this month, for example, is totally used up with Astricon and FreePBX DevCon in Wisconsin. Then when I get back here, I’ve got a bunch of core infrastructure stuff to work on (not much freepbx dev work time, unfortunately) which gets most of November and the beginning of December used up.

That’s why I’ve got ‘probably not this year’ in the 2nd post. I don’t want to get anyone’s hopes up.

Edit: To address the obvious ‘Why don’t you just use sudo’ question:

OK, so I want to run a command as root. If you were allowed to ‘sudo /var/www/html/admin/modules/firewall/hooks/command’, for example, you have immediately given webuser permission to run any command as root.

This is because from ‘/var/www/html/’ down, webuser can write to that directory. Even if you locked the permissions down of the ‘hooks’ directory, somehow, what’s stopping me, as webuser, from doing this:

cd /var/www/html/admin/modules/
mv firewall firewall.pwned
mkdir -p firewall/hooks
echo 'cp /bin/bash /tmp/bash && chmod 4755 /tmp/bash' > firewall/hooks/command1
chmod 755 firewall/hooks/command1
sudo firewall/hooks/command1

That’s a really basic example of why I can’t do that. Anyone who uses sudo to run a file that could potentially be changed by a non-root user - any non-root user - has created a gaping security hole like the one above.

MathsSecurity is hard. Let’s go shopping!


#65

I have 2 fresh installs on 2 seperate hardware box’s and on both of them I seem to have an extra Interface “wlan0” not sure were it is comming from but I cant remove it or the active “Trusted” button there for the Firewall is always misconfigured and not running.

when I login to command line I see this.
Current Network Configuration
±----------±------------------±--------------------------+
| Interface | MAC Address | IP Addresses |
±----------±------------------±--------------------------+
| eth0 | D0:27:88:3E:2C:85 | 192.168.2.189 |
| | | fe80::d227:88ff:fe3e:2c85 |
| wlan0 | 1C:65:9D:DB:CD:AC | |
| | | |
±----------±------------------±--------------------------+

if I run ifconfig I see this.
eth0 Link encap:Ethernet HWaddr D0:27:88:3E:2C:85
inet addr:192.168.2.189 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::d227:88ff:fe3e:2c85/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:557659 errors:0 dropped:0 overruns:0 frame:0
TX packets:367571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:101223278 (96.5 MiB) TX bytes:108653771 (103.6 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:124507 errors:0 dropped:0 overruns:0 frame:0
TX packets:124507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:14066630 (13.4 MiB) TX bytes:14066630 (13.4 MiB)

I’m not sure how to get rid of this.

Gary.


#66

wlan0 looks like it is a Lite-On mini pci wireless network device, it should be treated as an internal interface.


#67

Right you are, no mention of it in the bios but I opened case and there it was I removed it and now it does’t show up. Thanks.

gary.


(Rob Thomas) #68

I’m NOT updating the top post, because I don’t want people who are coming here new to see this post, but, I’ve build the (hopefully!) first release of Firewall.

It’s here: http://mirror1.freepbx.org/modules/packages/firewall/firewall-13.0.2.tgz for those that want to try it.

I’ve removed the Beta warning, DDNS host registrations work correctly, and, I think everything is good to go!

The only reason why I’m not publishing it through the Mirror CDN is that it’s 4pm, and I have to go look after the kids for the rest of the afternoon, and I’d hate to break a couple of thousand systems and not know about it for 12 hours :sunglasses:

So, if you’re game (and you kn ow how to type ‘service iptables stop’), feel free to install that module and see how it goes!


(Matthew) #69

Hi Rob,

Great job on something that is well and truly overdue in a PBX Distro!!

So, I believe I found a hiccup in the processes that managed to get myself locked out!! As per the warnings and everything else I ensured that I had added my home IP address where I was testing from to the Whitelist of IP addresses and then ensured that the eth0 interface was set as External to ensure that traffic was starting to be filtered.

I checked the iptables and could see that my IP address had been added to the zone-trusted.

After this I then tried to connect my phone to a newly created extension and register it to receive incoming calls. I saw a couple of connection attempts and then it stopped and I lost access to the web management GUI.

After connecting back onto console and checking iptables I could see that fail2ban had killed my IP address due to multiple failed connection attempts. At first I thought I had the password wrong, but turns out it was due to using port 5060 instead of 5061 as it was only a SIP extension not PJSIP extension.

It seems that fail2ban is kicking in first and blocking the IP address before it gets to the trusted network IP addresses.

Hope this allows you to test and replicate.

I admittedly haven’t tried your new version, but I was testing with ISO downloaded yesterday on a fresh install of BETA – 10.13.66

Matt


(Rob Thomas) #70

Yep. I’m adding that to the known issues. I think I’m going to DISABLE fail2ban blocking (and only alert, if it can) SIP failures when firewall is enabled.


(Matthew B) #71

In the meantime, what are your recommended settings for Intrusion Detection settings in System Admin Pro?

Ban Time, Max Retry, Find Time, etc.

Thanks, Rob!


(Rob Thomas) #72

For those following the thread, a privilege escalation issue was discovered in Custom Port Ranges, where an attacker who already had webuser privileges could gain root.

This was fixed in 13.0.3, with kudos to https://twitter.com/0x00string for his assistance!

More information in the Second Post


FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
(Neil Townsend) #73

About the sysadmin package:

So, looking at things a different way … sysadmin-rpm is only available for RHEL, and I quite understand that you are not in a position to remove the firewall’s dependency on it. And, if it works well that way, why would you want to? The current apporach keeps the abstraction between the firewall based security and anti-bad-webuser security clean.

The question that then arises is why sysadmin cannot be made available for debian systems. Options:

  1. This is a commercial knowledge protection issue and it will only ever be available for commercially supported (ie. RHEL) systems. End of.
  2. It could be ported to Debian relatively easily, but we are concerned about maintaining both versions. If this is the case, how complex is the port? Is it really that hard to maintain so it runs on both RHEL and Debian. Perhaps it could be reconstructed so it was relatively easy to support on both platforms?
  3. It depends on something in RHEL which is not generally there in Debian. In this case, the question becomes: what does it rely on in RHEL? Perhaps the key to making firewall more available is add-in to Debian the functionality that it relies on. Is there a way of knowing this to see if it can be added in?

(Andrew Nagy) #74

The main issue is time. We don’t have time to pursue that endeavor right now.


(Rob Thomas) #75

It’s not can not. It’s just haven’t done so yet.

I want to make Debian one of our officially supported platforms, and getting the equivalent of sysadmin.dpkg will be the first thing I need to do. (I’m not a fan of Ubuntu. If the debian stuff happens to work on Ubuntu, then yay, but, Debian is after C7, not Ubuntu)

The complexity is twofold:

  1. I want to keep it zended, which gives it inherent self-integrity checking. But that then means I need to care about packing up zend. If I don’t zend it, then I need to write another wrapper to reimplement that.
  2. This is an exponential amount of smearing. PHP versions * Distros * CPU Arch = lots more packages to manage. This can all be automated, but, it still needs me to write it.

There’s nothing stopping you from just extracting the zended files from a CentOS machine (which will only work with php 5.3) and fiddling with them. I did have a bunch of PHP5.x (3,4,5,6) RPMS made as a proof of concept, but that was just me messing around on my Jenkins box at home, and not nearly enough to actually say ‘here, this works’.

I’m really really busy for the rest of this year. Early next year I’ll be able to spend some more time on this.

Or, if someone wants to figure out a way to do privilege escalation securely on debian, I’m all ears. It’s open source, do the pull request!


(Neil Townsend) #76

I absolutely get that, and I’m not asking anyone to change these priorities. I’m simply trying to work out how voluntary effort (ie me) can most help. I’ll keep hunting and thinking and seeing if I can work this out. Is there any chance that sysadmin will become open source (or is that what your final statement means?


(Andrew Nagy) #77

Why do you want this for debian? Is this for a RasPi?


(Neil Townsend) #78

Various reasons:

  1. Yes, I would like to put it on my pi, which is running a simple home system pretty well (only issue is the module start up speed as per the other thread, everything else is fantastic. If I skip invoking superfecta it’s fantastic).
  2. I have seen other people ask for it.
  3. One of the great things about freepbx is that it allows anyone to do something like this, and they may well be running Debian. It seems to me a useful addition to freepbx and would allow those with security concerns to use freepbx with greater confidence.

So, I have a personnel motivation which I recognise is not consistent with your core business direction, I also enjoy getting involved in projects and, before my current role, was involved in code development for both medical systems and those on jet engines, so I have a reasonable awareness of what constitutes reliable code.

If there is a different area that you would really appreciate volunteers getting involved in (although security and speed seen good places to me) then do tell me.