Major facelift to the FreePBX Firewall

firewall
Tags: #<Tag:0x00007f704b345a90>

(Daniel Friedman) #21

Hello @danardf,

I still don’t get it.

I am installing the firewall module on all my systems, but I am not using it. It is in disabled mode. So, If the firewall module is installed but not enabled, would it be possible to use the Intrusion Detection page like it was possible in the system admin module?

Thank you,

Daniel Friedman
Trixton LTD


(Franck Danard) #22

I will see that with @lgaetz
As I.D has been moved into the Firewall tab. There is no tab when the firewall module is disabled indeed.
Please wait our feedback.


(Daniel Friedman) #23

Hello @danardf,

This is a screenshot from one of my systems of the firewall module:

Thank you,

Daniel Friedman
Trixton LTD.


(Franck Danard) #24

Yes, I know.:slight_smile:


(Itzik) #25

Poll/Vote: that if you have the firewall enabled, it should by default sync the fail2ban data.
(Now you have to go into the settings to enable synchronization)

  • That will help
  • DON’T TOUCH!

0 voters


(Vorms) #26

My system is up to date but intrusion is not on firewall menu.
How can do that ?

Thanks

Regards
Thierry


(Jared Busch) #27

Edge, not up to date.


#28

That is what I was referring to. Even if I still can manually configure fail2ban and iptables, it seems that FreePBX’s intrusion detection features will not work if the firewall module is not installed.


#29

For now, I think that’s correct. From @danardf’s comment above I think we may see a fix.


#30

@danardf - One minor note - my first instinct was to enter a comma-delimited list when entering addresses in the “Custom Whitelist” field (like a pjsip match/permit entry).

Suggest at least adding some “enter ip one per line” help text or parse for comma delimited entry.


(Belgique) #31

One interesting idea : it could be useful to be able to block / allow IP from defined countries


(Tony Lewis - https://bit.ly/2SbDAyc) #32

But how would you do such a thing with BGP being so wildly used. IPs really don’t belong to a country anymore.


#33

Geoblocking is still effective. It can reduce log noise by orders of magnitude. Most US soho installs will be fine only allowing north american IPs.

Of course you have to know your audience. Not so great if there is a lot of international travel.

Most importantly never assume it’s any sort of real security. Geoblocking can be great to reduce log noise, load on fai2ban, etc - but the system needs to be secure without relying on it.


#34

( most of the big players like the Chinese ‘Universities’, now have accounts with OVH or AWS or . . . . ., think ‘wormholes’)


(Itzik) #35

I saw recently a lot from DO and Vultr. Give it some time and all these VPS providers will give us a hard time to use 5060.


#36

No problem, just email abuse@hosting.company.com and they will take care of that :wink:

(Still using UDP/5060 ?)


(Itzik) #37

Unfortunately, there are still a lot of providers who exclusively use 5060. No other way around it.

… Not sure if you are in that FB group, but you reminded me of this post. (Look at the bottom comment)


#38

What’s facebook?

We use DO a lot, a simple “DO native” firewall that includes allows for your UDP/randomport TCP/randomport TCP/5061 and also your various recalcitrant VSP’s 5060/‘Incoming servers’ and you can watch sngrep all day and all night and never get a bogus INVITE. Try it , you’ll like it :slight_smile:

edit:-

Of course you can replace the mentioned firewall with any competent up stream firewall that can ‘do that stuff’ . Personally I would be reticent to use the software firewall of the ‘distro’ (which is not available to me anyway as yet) given it has acquired a kinda scary anecdotal reputation of either not starting or arbitrarily stopping/not restarting under certain circumstances , hopefully fixed at the eventual culmination of this thread :slight_smile:


(Belgique) #39

You can get easily a lot of geo info from an IP address
(look : for eg
https://geoip.ovh/
https://dev.maxmind.com/geoip/)

Of course, it is not perfect and it always possible to use TOR , a proxy or a VPN but it makes the hacker life a little bit more complex.


#40

but even if the server resolves by geoip, is the 'command and control ’ of it in that locale?

For $5 bucks you can be almost anywhere you want… . .

So ‘NO!, geoip filtering is futile for voip’ because they can do it way better than you ;-).

On the otherhand, not using udp/5060 reduces the attacks by 99.99…% even if they are the same .24 as your pbx. (I think I suggested that before)