You might know I'm a bit of a security freak


(Rob Thomas) #1

Well, I -am- a bit of a security freak! I’ve been trying to get some time put aside to revamp the way FreePBX does firewalls (which, at the moment, consists of a loose integration with fail2ban, and… that’s pretty much it). I mentioned this in passing on IRC last week, and it seems to have stirred up a bit of a hornets nest.

So, here’s what I’m trying to achieve: An open source, tightly integrated, FreePBX Firewall.

I want it to work with C6 and C7 (firewalld), and HOPEFULLY ufw (Ubuntu). It’s going to be open source (AGPL3, of course). I threw together a bit of code yesterday, and it’s up on git now.

It doesn’t actually DO anything yet, but I’m hoping by the end of the week I’ll have something that people can click on and do stuff with.

I’ll be using this post for announcements and stuff. If you have any requests, features, suggestions, or hints, this is the place to talk about them!


FreePBX Firewall Thread! (2nd Post has status)
(Rob Thomas) #2

So this is how it started this morning (BTW, today’s ACTUALLY a day off for me, but, the rest of the clan have headed off to pick up our new dog!) http://i.imgur.com/A2XJqQe.png

And this is what it’s like now http://i.imgur.com/xhL1N2C.png

From here, you will then assign services to zones, and there’s going to be a bunch of cool stuff happening behind the scenes.

Realistically, this is just going to be a front-end to whatever firewall service your machine is running - be it firewalld, ufw, or something else totally. I’m going to start work on an abstraction layer for that next!

Edit the next day:

She’s a 5yo retired racer that we adopted. Her name is Honey, and is extremely sweet to match her name.


#3

Hi Rob,
Zone concept probably is a cool idea (actually seen it used in a firewall product I use)

Do you plan on having more high-level concepts like named address objects or named (compound) address lists?

(that’s right it probably won’t translate every rule 1:1 to netfilter/iptables calls, as these may be requiring to create more under the hood, but since you’re probably deciding now how ‘high level’ you want this to be, thought I’d mention this)

A nice touch would probably also be, to have the statistics (packet count of every rule, maybe some ‘kbps’ figure(s)) shown live too :wink:

(I’m not that familiar with what ufw and/or firewalld do, last I remember meddling with Linux firewall it was iptables, and tc, over command line ; ) )


(Rob Thomas) #4

Yes. My idea is not to make this some be-all and end-all firewall product that does everything. This is just to be a simple firewall to secure one service on one machine. Which is FreePBX. This makes it a lot easier to do smart things like that, because there are an extremely small number of services that a machine can run.

That MAY be possible, but I’m trying to avoid using iptables calls directly, and instead rely on the systems firewall service. I’ll think about it for sure.


(Rob Thomas) #5

I’m having a bit of a fiddle with the layout. I think this seems pretty reasonably self-explanatory.

Anyone have any better suggestions?

Also, I don’t think I mentioned, this is all available on our Git repository – you can watch https://github.com/FreePBX/firewall/commits/master to see what I’ve been doing.


(Rob Thomas) #6

Here’s services…


(Rob Thomas) #7

Actually, I ended up not doing that, and changing the layout a bit. We had a good chat on IRC about what we think people want (and please, join in if you have input!) and ended up simplifying that a bit.


I also started work on the ‘Preconfigured’ stuff. I think I like the look of this.


#8

Hey Rob
Nice dog, and firewall idea.
FWIW, we keep our FreePBX hardware tucked up safely inside a separate IpCop firewall/router.
Open Source of course.
Not sure another firewall in series would add much benefit.
Other than being like Paddy wearing 2 condoms “to be sure to be sure”. :wink:


#9

If anything, and if added ‘triggers’ for unsolicited accesses (and live stats of what each rule passes/detects), could serve as nice ‘yet another’ independent ‘listening’ local-network IADD :wink:


(Rob Thomas) #10

BOTH are things I’ve wanted for a while :sunglasses:

And you are not the target user. For people like you that already have a firewall they wouldn’t even bother turning this on.

But, for people that are deploying FreePBX in the cloud, or other hosted environments, or even for people who don’t understand firewalls all that well, that’s where this comes in. That’s why I’m trying to make it as understandable and easy to use as possible.

I don’t want to turn this into a be-all and end-all firewall service. This is just to configure your OS’s pre-existing firewall so it works and X-Random-User doesn’t need to know EXACTLY to let ports 10000-20000 (or whatever they set their RTP ports to) through their firewall.


(Rob Thomas) #11

Oh, it’s monday (Well, it is here)! I’ve been doing a bit of messing around over the weekend.

After some discussions in IRC, we’ve decided to let people define THREE zones, as we could only think of a possible use for two, so I added another one, just in case.

I also removed the somewhat confusing ‘Reject’ zone, which wouldn’t have actually rejected anything, and would have made people pull their hair out. So, I think this is almost at the point where the front end is complete! I just need to do some back end programming now.


#12

One quick comment, I hope you’ll be able to add dynamic DNS addresses and not just numeric ip addresses to the trusted zone. Right now I have a script running that checks a small list of dynamic IP addresses every five minutes and updates the iptables firewall if any have changed. This is particularly necessary for offsite extensions served by certain DSL providers, which tend to change the end user’s IP address as often as every day or two. I would be great if FreePBX could handle this, so I could do away with the script.


#13

Excellent work Rob!

I think this is great for certain people, @bgroper mentioned he keeps his equipment behind a firewall, which of course is my favorite way to do things, however we also have several VPS’s on the cloud which don’t have that capability so this solves that issue.

One of the things I do can possibly be added to this as an expanded version if you think it makes sense (reporting tab). With iptables and fail2ban we of course block people out of the box but I add additional functionality by tweaking fail2ban to utilize blocklist.de. This service sends reports to abuse@ of the networks from the source attacker, basically trying to get those attackers to stop.

The firewall of course blocks them because we don’t want them in our box, but to try and put a dent in slowing them down in the long run is a bonus.

As an example here are my stats:
“Currently you have registered 12 Server at blocklist.de.
These have reported a total of 34721 attacks, which have raised a total of 16335 abuse reports.”

Some of the test servers I have here may not be PBX’s but several of these are.

With just some additional coding I was able to send 16K abuse reports!
I’m not a magician but maybe if enough people send abuse reports we can slow down the attackers from wasting our resources.

Thanks, and keep up the good work! I will load it at some point to check it out.


(Rob Thomas) #14

100% confirmed that will be a feature.


#15

I remain interested in Rob’s FreePBX firewall developments too.
FWIW, in another firewall we’re starting to experiment with geo blocking using ipset, and ipdeny tables.
See http://ipset.netfilter.org and http://www.ipdeny.com/
Trying to deny all attempted connections from eastern europe, China, and sundry other unwanted places.
Time will reveal whether this might be worthwhile.
(Of course geo blocking can be worked around using a vpn or proxy service located in an “allowed” country, but the more obstacles can be placed in the way of hackers, the more likely they are to go attack somebuddy else’s server.)


#16

Any ipset needs to be trustworthy and useful, if you have one you trust it is trivial to set up, As I keep on saying the threat is no longer geolocated they are on the same cloud servers that you use.

The good thing that they are low impact on iptables, even if they are huge, so if ineffective or wrong wont do much harm, the better set would be for a trusted set which would include all the comcast’s verizon’s apple VSP’s that are too low bandwidth or compromised to generally be the source of your problems, If you mistakenly exclude a client because he is in an intourist hotel in moscow, but allow a cluster of chinese machine on datashack . . .


(Rob Thomas) #17

Exactly!


#18

There is a nice blossoming of Fail2ban with a cluster concept if you have a few servers, you will benefit all on your own , if you trust buanzo then this could go far . . . .

Start here

http://blog.gmane.org/gmane.comp.security.fail2ban.user

( you will need fail2ban 0.9 )

p.s.

CSF/LFD already has that in-place along with ipsets , it works.


(Rob Thomas) #19

There’s been some discussions in IRC about DoS attacks on Cloud-based FreePBX machines, and @drmessano mentioned that he uses rate limiting, which started me down the track of ‘How can I implement that?’

The idea behind this is that people don’t need to know how firewalls work to have a secure system. They should be able to turn this on, enable the defaults, and it will do all the work for you.

What I DON’T want to do is expose a lot of knobs and switches and stuff for people to twiddle. I want to get 90% of the features that 90% of the people want.

Rate limiting solves a DoS - a ‘Denial of Service’. That’s what’s known as a Layer 7 attack. If someone discovers that they can send a magic packet to Asterisk that causes it to use a bit of CPU for a bit of time, there’s nothing stopping them from sending a LOT of those magic packets to Asterisk, causing it to use ALL the CPU for ALL the time.

This does not address a DDOS. DDOS’s are a Layer 3 attack. They just fill the internet connection coming to your machine. There’s no finesse or skill involved, it’s just like pointing a firehose at a garden hose. It’s physically impossible to address that problem at your end of the link, it has to be addressed upstream. So don’t get confused and think that this is a magic bullet.

Anyway, this leads to me thinking that I will enable rate limiting by default. I’ll probably have some automatic scaling based on number of registered extensions and trunks, but I haven’t figured out what that should be yet. I want to to err on the side of ‘do not block incoming calls’, because the last thing you want is for you to start dropping calls because you suddenly get popular.

A rough seat-of-the-pants calculation and some tcpdump-ing gives me one SIP packet per 30 seconds per device. So I think I’m going to default to letting 10 SIP packets per 30 seconds per device through before it starts rate limiting them.

Anyone have any better suggestions?

Edit: To clarify - Once a device is registered, it will not be rate limited. This is only for unknown IP addresses trying to register or send SIP packets - for example, trunks that aren’t using REGISTER.


#20

I am sure you are aware but just pointing out that there is more than just asterisk/SIP running on your boxen, likely all sorts of java not to mention the various other “applications” like iax2, AMI,postfix and xmpp. If I where a bad guy i would go for the java stuff as being most likely vulnerable to DOS.