FreePBX Firewall Thread! (2nd Post has status)

firewall
Tags: #<Tag:0x00007f7024dd9000>

#67

Right you are, no mention of it in the bios but I opened case and there it was I removed it and now it does’t show up. Thanks.

gary.


(Rob Thomas) #68

I’m NOT updating the top post, because I don’t want people who are coming here new to see this post, but, I’ve build the (hopefully!) first release of Firewall.

It’s here: http://mirror1.freepbx.org/modules/packages/firewall/firewall-13.0.2.tgz for those that want to try it.

I’ve removed the Beta warning, DDNS host registrations work correctly, and, I think everything is good to go!

The only reason why I’m not publishing it through the Mirror CDN is that it’s 4pm, and I have to go look after the kids for the rest of the afternoon, and I’d hate to break a couple of thousand systems and not know about it for 12 hours :sunglasses:

So, if you’re game (and you kn ow how to type ‘service iptables stop’), feel free to install that module and see how it goes!


(Matthew) #69

Hi Rob,

Great job on something that is well and truly overdue in a PBX Distro!!

So, I believe I found a hiccup in the processes that managed to get myself locked out!! As per the warnings and everything else I ensured that I had added my home IP address where I was testing from to the Whitelist of IP addresses and then ensured that the eth0 interface was set as External to ensure that traffic was starting to be filtered.

I checked the iptables and could see that my IP address had been added to the zone-trusted.

After this I then tried to connect my phone to a newly created extension and register it to receive incoming calls. I saw a couple of connection attempts and then it stopped and I lost access to the web management GUI.

After connecting back onto console and checking iptables I could see that fail2ban had killed my IP address due to multiple failed connection attempts. At first I thought I had the password wrong, but turns out it was due to using port 5060 instead of 5061 as it was only a SIP extension not PJSIP extension.

It seems that fail2ban is kicking in first and blocking the IP address before it gets to the trusted network IP addresses.

Hope this allows you to test and replicate.

I admittedly haven’t tried your new version, but I was testing with ISO downloaded yesterday on a fresh install of BETA – 10.13.66

Matt


(Rob Thomas) #70

Yep. I’m adding that to the known issues. I think I’m going to DISABLE fail2ban blocking (and only alert, if it can) SIP failures when firewall is enabled.


(Matthew B) #71

In the meantime, what are your recommended settings for Intrusion Detection settings in System Admin Pro?

Ban Time, Max Retry, Find Time, etc.

Thanks, Rob!


(Rob Thomas) #72

For those following the thread, a privilege escalation issue was discovered in Custom Port Ranges, where an attacker who already had webuser privileges could gain root.

This was fixed in 13.0.3, with kudos to https://twitter.com/0x00string for his assistance!

More information in the Second Post


FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
FreePBX 13: Unable to reload through GUI: Asterisk running as root (PiAF)
(Neil Townsend) #73

About the sysadmin package:

So, looking at things a different way … sysadmin-rpm is only available for RHEL, and I quite understand that you are not in a position to remove the firewall’s dependency on it. And, if it works well that way, why would you want to? The current apporach keeps the abstraction between the firewall based security and anti-bad-webuser security clean.

The question that then arises is why sysadmin cannot be made available for debian systems. Options:

  1. This is a commercial knowledge protection issue and it will only ever be available for commercially supported (ie. RHEL) systems. End of.
  2. It could be ported to Debian relatively easily, but we are concerned about maintaining both versions. If this is the case, how complex is the port? Is it really that hard to maintain so it runs on both RHEL and Debian. Perhaps it could be reconstructed so it was relatively easy to support on both platforms?
  3. It depends on something in RHEL which is not generally there in Debian. In this case, the question becomes: what does it rely on in RHEL? Perhaps the key to making firewall more available is add-in to Debian the functionality that it relies on. Is there a way of knowing this to see if it can be added in?

(Andrew Nagy) #74

The main issue is time. We don’t have time to pursue that endeavor right now.


(Rob Thomas) #75

It’s not can not. It’s just haven’t done so yet.

I want to make Debian one of our officially supported platforms, and getting the equivalent of sysadmin.dpkg will be the first thing I need to do. (I’m not a fan of Ubuntu. If the debian stuff happens to work on Ubuntu, then yay, but, Debian is after C7, not Ubuntu)

The complexity is twofold:

  1. I want to keep it zended, which gives it inherent self-integrity checking. But that then means I need to care about packing up zend. If I don’t zend it, then I need to write another wrapper to reimplement that.
  2. This is an exponential amount of smearing. PHP versions * Distros * CPU Arch = lots more packages to manage. This can all be automated, but, it still needs me to write it.

There’s nothing stopping you from just extracting the zended files from a CentOS machine (which will only work with php 5.3) and fiddling with them. I did have a bunch of PHP5.x (3,4,5,6) RPMS made as a proof of concept, but that was just me messing around on my Jenkins box at home, and not nearly enough to actually say ‘here, this works’.

I’m really really busy for the rest of this year. Early next year I’ll be able to spend some more time on this.

Or, if someone wants to figure out a way to do privilege escalation securely on debian, I’m all ears. It’s open source, do the pull request!


(Neil Townsend) #76

I absolutely get that, and I’m not asking anyone to change these priorities. I’m simply trying to work out how voluntary effort (ie me) can most help. I’ll keep hunting and thinking and seeing if I can work this out. Is there any chance that sysadmin will become open source (or is that what your final statement means?


(Andrew Nagy) #77

Why do you want this for debian? Is this for a RasPi?


(Neil Townsend) #78

Various reasons:

  1. Yes, I would like to put it on my pi, which is running a simple home system pretty well (only issue is the module start up speed as per the other thread, everything else is fantastic. If I skip invoking superfecta it’s fantastic).
  2. I have seen other people ask for it.
  3. One of the great things about freepbx is that it allows anyone to do something like this, and they may well be running Debian. It seems to me a useful addition to freepbx and would allow those with security concerns to use freepbx with greater confidence.

So, I have a personnel motivation which I recognise is not consistent with your core business direction, I also enjoy getting involved in projects and, before my current role, was involved in code development for both medical systems and those on jet engines, so I have a reasonable awareness of what constitutes reliable code.

If there is a different area that you would really appreciate volunteers getting involved in (although security and speed seen good places to me) then do tell me.


(Rob Thomas) #79

Zend won’t work on a Pi, so that means option 1 is right out.

Looks like that’s your only option. If you want to spend some time whiteboarding up some concepts, throw it in a google doc and I’ll see if I can poke holes in it!

–Rob


(Andrew Nagy) #80

Not true. As Rob already stated it’s impossible. That is the only reason I asked.


#81

I was trying out this firewall feature in FreePBX13 and when I moved the FreePBX server Ethernet connection to the external zone I was locked out of the GUI. This even though I put the IP of the computer connecting from in the “trusted” computers list. How Can I disable the firewall from the cli at the PBX server so I can get back the FreePBX GUI? I can’t find the CLI list of commands for the firewall anywhere on the forum or in the documentation.


(Brian Johnson) #82

I had the same thin happen. i uninstalled the firewall module via the following code.
amportal a ma uninstall firewall

the only issue I am running into is when I reinstall the firewall and enable it lock me out before I can make changes. Does anyone know what files I need to delete to remove the configuration?


(Rob Thomas) #83

You can, by default, access the https:// connection of your machine, which will let you fix the configuration. You’ll get a certificate error, but you should still be able to get in.


(D Rubie) #84

Hi Rob,

I had the firewall setup nicely with my hosted PBX, but then I did the update and lost all my settings. Now my extensions only register if I’m connecting from a trusted IP. The responsive firewall does not seem to be working correctly.

Also, it appears the firewall settings are lost every time asterisk is restarted. I believe this is a safety feature but…I think this needs to be a feature that can be turned off.

D Rubie


(Rob Thomas) #85

Hrm, well, yes, I guess that’s SORT of true. Responsive firewall quizzes Asterisk for its registrations. If asterisk is restarted, those phones won’t be registered, so they won’t be visible.

However, the phones should automatically reregister, and reappear. Is that not what’s happening?

If you’re saying that EVERYTHING breaks, then that’s wrong and terrible, and is a bug and you should be yelling at me about it 8)


(D Rubie) #86

The last update (13.0.6) fixed all the issues I was having…the most important being the ability for remote registrations.

Thanks