New blog post: Some security tips and tricks


(Matthew Fredrickson) #1

Hey All,

@wmoon wrote a quick blog post on a few general best practices and tips for security in FreePBX. Feel free to check it out and discuss at https://www.freepbx.org/a-secure-freepbx-is-a-happy-freepbx/

Best wishes,
Matthew Fredrickson


(Matthew Fredrickson) pinned globally #2

#3

I would also suggest a few more:-

  • ssh access by password for any user should be disabled and only be allowed by ssh keys (on !22 for quietness)
  • The ‘admin’ user in the gui should be deleted and another few more with less obvious generated but more identifiable names and access
  • Consider the ease of not using UDP/5060, agree or not 99.99% of all attacks are directed there. (few go to TCP/* even less will get to TLS/5061)
  • Enable fail2ban jails for other than asterisk (noscript comes to mind to catch phpadmin, webmin etc.)
  • Add a rootkit detector like lynis
  • logwatch will help to preadvise other ‘problems’ like disk-space and un-imagined ports opened
  • rewrite http to https only for legitimate URI’s, otherwise send them to the bit-bucket
  • Always be wary of connections to your IP, only ultimately accept connections to your domain name for VOIP and HTTPS/HTTP
  • make sure TCP/5038 is well protected (you probably only need to bind to 127.0.0.0/8)
  • audit mysql and add a root password consider the ‘mysql_secure_installation’ script

#4

How does one block everything with the firewall, as suggested in your blog. I copiously use the blacklist.


(Lorne Gaetz) #5

You are doing something wrong, properly configured the firewall is deny by default. Check out this vid: Open Source Pro Tips #2 - Firewall Basics


#6

I don’t understand. I see lots of attempts from IP address in my log file, I see lots of times where fail2ban detects and blocks people trying to hack the system. I add them to the blacklist and the problem goes away. They never actually get through to my system (as far as I know). The other day, there was a bug in the firewall that caused it to drop, and let me tell you, fail2ban had a busy 2 days. btw, I don’t think I have anything set up incorrectly, but there are always better ways of doing things.


#7

(one might quibble that the ‘firewall’ is open source, It won’t install on anything without ‘sysadmin’ and sysadmin is closed source and at this point in time only available on some hardware and one OS’ , If you’ve gota Raspberry or not the sangoma version of redhat, your kinda SOOL, If there is a way to install it outside ’ the distro’ I would try it again :wink: )


#8

Left one thing out:

http://www.voipbl.org/


#9

@GeekBoy , That’s a biggie, don’t even think of using that without putting it in an ‘ipset.’


#10

They do have a guide on using it, as well as scripts.


#11

Several soft Firewall’s have it seamlessly ‘embedded’ as an ipset option (at about 92k don’t even think of using iptables) .

(but off the reservation here though :slight_smile: )


#12

Having spent some time with the module fixing the LetsEncrypt issues, it could be stripped of sysadmin dependencies in an afternoon and likely made Debian compatible in another(and then a week’s testing trying to break it). The issue is how to do it “securely” within the current framework.

From a “Sangoma corporate” perspective, I can see them wanting at least the lip service Zend Guard/sysadmin provides as a security claim.

The biggest issue with firewall module architecture/code/error handling is if something goes wrong it’s likely to crap out completely and leave the system wide open, just as it did with the LetsEncrypt errors(or I guess technically still does until edge is pushed to release).


(Jorge Delgado) #13

In security features, I suggest the capability to block/enable by GeoIP. My scenario: I only need connections from US and CR. Filtering to only users from these 2 countries minimizes enormously the attack surface. I recommend to look at the UI for this in Issabel PBX.


(TheWebMachine Networks (Sangoma Software Development Partner)) #14

This is big one if your PBX is in the cloud or you have a lot of remote employees (COVID, anyone?). We recommend using 65### ports across the board for SIP/PJSIP. A LOT of home ISPs block the normal 5### SIP port ranges, so this squashes two concerns in one. (AT&T, for example, can legit kiss my a** with their port blocks, because they also intercept AND respond to DNS 1.1.1.1 and other shady BS :face_with_symbols_over_mouth:)


(Laurent B ) #15

Hi !

I use Fail2ban on Freepbx computer paired with pfBlockerNG-devel on a pfsense APU (as firewall).

Fail2ban on the asterisk machine collects IP banned and keep them for 2 hours so CPU dedicated for log management is not too heavy.
An hourly cron get the new IPs collected from the past hour and add them to a dedicated blacklist in the pfBlockerNG-devel files on the pfsense.
pfBlockerNG-devel is also set to use GeoIP filters and DNSLB lists.

Sometimes, I manually check IP banned entries and found that some foreign networks do so many try all the time to enter my system so I created a second blacklist file where I put entire networks… Something like

5.62.40.0/23            # (03/09/2019) (5.62.40.0 - 5.62.41.255)         Privax LTD AVAST cloud London
5.183.92.0/22           # (19/02/2020) (5.183.92.0 - 5.183.93.255)       NetProtect-Germany-Frankfurt - Dallas United States
23.94.0.0/15            # (20/10/2019) (23.94.0.0 - 23.95.255.255)       CC-16 ColoCrossing Buffalo NY US
23.249.160.0/20         # (20/10/2019) (23.249.160.0 - 23.249.175.255)   NET3-INC Buffalo NY US

Thoses settings put all the charge to the pfsense device and protect my Freepbx system since few years now despite the fact TCP/5060 is opened due to the fact I use to remotely connect with my mobile phone using VoIP.

Laurent.


(Ted Mittelstaedt) #16

Been there done that, that DOES NOT WORK in some environments. In my case, running port forwarding of SIP from the outside to a machine on the inside through a Cisco enterprise router. Calls simply were not reliable unless port 5060 was used. Even when following the suggested port forward examples for SIP that various Cisco fanboys swore worked for them on Cisco forums.

nonstandard ports have their uses but you should ALWAYS get it running with a vanilla a config as possible. Start with 5060 and everything else open. Get it working. Then start locking it down one item at a time, testing in between each item.

AND LASTLY AND MOST IMPORTANT THAT YOU FORGOT - BACKUP BACKUP BACKUP AND DOCUMENT DOCUMENT DOCUMENT AS YOU GO.


#17

Port forwarding though Cisco’s IOS works reliably unless you have any ApplicationLevelGateway enabled in the way (Cisco/DPI) . At least in my own experience (more than a few)

If you do have such a thing, disable the bugger :-

  • Log onto the router’s terminal (command line interface) via telnet, SSH or serial console

  • enable

  • configure terminal

  • no ip nat service sip udp port 5060
    For TCP also run no ip nat service sip tcp port 5060

But I am not really suggesting ‘forwarding’ 5060, I am suggesting just NOT USING UDP/5060, forward the ‘port of your choice’ through your router be that Cisco,Ubiquiti,netgear,tplink whatever if NAT’ed. . .

( I did not forget backups because I consider the lack of that a big DUH!!)


(Ted Mittelstaedt) #18

That was the first thing I tried. In fact that is the general advice to port forward sip on a non-port 5060 is disable that. It does not work. At least not on IOS 12.4.25g with my version of FreePBX and with various softphones I tested. Also TCP did not work reliably no matter what.

I am not saying Cisco never fixed this. But Cisco is very well known for having bugs languish, unrepaired, for many years. And it is also important to understand that Cisco’s IOS code varies from device to device. IOS 12.4.25 doesn’t work exactly the same on all devices. Back “in the day” when it was a lot easier to get lists of bugs of various releases it was common for bugs to be both version and hardware-specific. I am quite sure you have got it working on a non-standard port. I’m also quite sure if you encountered the identical hardware as I am using you would not get it working on a non-standard port with IOS 12.4

We have an old saying in the go-fast auto hobby arena. Tune from the baseline. That is, start with stock and tune it first then dyno, before bolting on any go-fast parts. You would be amazed at how much garbage is sold to make cars go-fast that makes them go slow. Like fart cans.

Before tinkering for “security” make sure it’s working perfectly with the defaults. That way when you do something off your or anyone else’s “list” and things break, you know where the problem is. Trying to start out with all the security enabled will shoot yourself in the foot. Start out stock then once it’s working add in the stuff. Not the other way around.


#19

I would take that to the Cisco forums more forcefully, I personally do not have any of your problems over many Cisco routers.

Port forwarding any port or range on any protocol just works for me. (maybe I just got ‘lucky’ hardware devices :wink: )

(Best way to make your models go faster is to add a “go faster stripe” to your engine hood, It worked for ecurie escosse in the '50’s)


(Matt Brooks) #20

I would love to see some kind of microservice API for controlling the firewall rules and fail2ban black/white lists. To make it secure, I believe it can be locked down to only perform a specific segment of commands and bind to localhost so it wouldn’t be publicly facing.