Major facelift to the FreePBX Firewall

franckdanard · November 30, 2020, 7:22am

We will add it for help indeed.

franckdanard · November 30, 2020, 7:28am

And I think it also loads the CPU if too many IP addresses are set in iptables by the hundreds or by the thousands.

franckdanard · November 30, 2020, 7:30am

The best way, is to set the right rules to accept instead to set bad rules to reject

dicko · November 30, 2020, 7:52am

I agree, I need about a dozen accept rules for mail, dns, ntp, icmp, ssh, voip, your https port , and a couple more, any drop rules are generated by the various fail2ban jails via ipsets, but even voipbl ,nearly 200000 hosts, if using ipsets is not a problem if you feel the need to expose 5060.

There are also a few rules to identify and ban port scanning and port flooding (by adding the whole underlying subnet to an ipset)

bpbp · November 30, 2020, 10:32pm

Looks like a great improvement, nice work

franckdanard · December 2, 2020, 4:42pm

Hi Daniel.

I fixed that.
I just need to test it before to publish it on edge.
The page I.D will be back on sysadmin when the firewall will be disabled.

danielf · December 2, 2020, 5:35pm

Hi @danardf,

Thank you very much for the fix.
It will help to keep the stability of systems that do not use the firewall module.

Daniel Friedman
Trixton LTD.

Fraser · December 3, 2020, 10:41am

Great work @danardf,

Will this pickup custom jails that I have created myself with fail2ban outside of FreePBX?

franckdanard · December 9, 2020, 8:52am

Thanks

All rules / jails set are scanned
so:

# fail2ban-client status
Status
|- Number of jail:      7
`- Jail list:           apache-tcpwrapper, recidive, ssh-iptables, apache-badbots, pbx-gui, asterisk-iptables, vsftpd-iptables

if there’s other jails into this list, it should work.

holness_202 · December 11, 2020, 7:51am

Nice work with the firewall update but sadly, I’m still seeing authenticated users being blocked by some combination of the firewall and fail2ban. We’re entirely softphone based (microsip) if it makes a difference.

Checking the logs I can see the address authenticated successfully: “reported as good adding to white list” but then after some period they get dropped and then end up on the banned list. Is it possible to detect successful authentications and then white list for a set minimum time? - i.e a day? this would capture most of our users as they turn there machines on and off.

slightly unrelated but since updating the firewall the log is full of php notice’s about undefined properties:
“HP Notice: Undefined property: stdClass::$id_service in phar:///var/www/html/admin/modules/firewall/hooks/voipfirewalld/firewall.php on line 9” is this an issue?

partgenius · December 18, 2020, 6:28am

I installed the edge modules but I dont use sangoma firewall and it stopped me from being able to see fail2ban in sysadmin.

Please note not everyone uses sangomas firewall. I know you guys noted this above but please dont push to stable without fixing this.

lgaetz · December 18, 2020, 12:25pm

You can get the sysadmin Intrusion Detection features back provided the firewall module is installed. You don’t have to actually turn it on tho.

pierredh · February 2, 2021, 8:57pm

it is true, but it makes hacker life a little bit more complex… Before to start to try to hack your system, they need to know which IP countries you allow.

Synology network hard disk use that , and it catches really a lot of hackers with this simple security

jerrm · February 2, 2021, 9:14pm

I think of geoblocking more as proactive log and load maintenance vs real security. Thousands of attempts dropped quickly and silently, making what’s left easier to manage.

System needs to be secure with or without geoblocking in place.

dicko · February 2, 2021, 9:24pm

I’m not sure to which of my posts you agree with, but my gist is:-

I am saying basically geoip is not useful because , well it’s not, I as a non knuckledragger black-hat can buy a vm in your backyard for 3 euros

VOIP blacklists ONLY have hosts who use UDP/5060 so don’t use UDP/5060 and your blacklists are mostly a waste of time.

Your IP:port can be scanned trivially, but if you don’t reply to 5060 (and block it on an earlier firewall if you don’t want the noise), you reduce your visibility significantly , if you only accept REGISTER and INVITE to your domainname:unlikelyport your erstwhile hacker has even greater complexity .

So, I would suggest you use TLS:5061 with an obscure and unrelated to your internet facing domain certificate and use ‘enforced SNI’ and I believe you are close to being ‘very armored’ .

lgaetz · February 6, 2021, 2:19pm

I can’t find where it was discussed recently, but there was a feature request to allow admins to suppress the dashboard notification when the PBX firewall module is installed to allow Intrusion Detection features in Sysadmin, but the firewall is not running. In dashboard versions 14.0.13, 15.0.9, and 16.0.5 there is an advanced setting to control this:

lgaetz · June 3, 2021, 11:04pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.