vicidial.org

Hello,
I have one server vicidial with public Ip and with one ethernet card only.

Every time I must check the firewall and the traffic because I find more bruteforce hacking my server and make more traffic on my network card.
yesterday I find some Ip that make traffic on my port 123
What is the best way to config the firewall and what port I need to leave open and what I need opeen to got services from the wan.

When I say to got services are more port for egx: DNS, NPT, and what Protocol

Have any one server with Ip public, or anyone that have his server in datacenter or hosting anywhere?

Look for Dynamic Good Guys in Viciwiki.com

Williamconley i can suggest PFsense firewall for defend your Vicidial.

WAN-----PFSENSE------VICIDIAL

Vicidial is Contact center system, if you aren't iptable oriented use pfsense.

regards

pfSense is a technical tool that is RARELY configured properly for Vicidial, even by those who use pfSense regularly. It also adds a layer of "language/programming" (as now one must learn pfSense in addition to everything else). pfSense modifies iptables, which is the actual firewall. pfSense has an install process and adminstration requirements. It also does not allow for "The Boss" to access the system from Starbucks on her iPad at 2PM while stepping out of the office (random IP access without giving up access to China!).

Fail2Ban (which also modifies iptables), FAILS to block rotating IP brute force attacks but often blocks entire offices when one user screws up.

Dynamic Good Guys (which also modifies iptables), is simple to use and easy to install. It has TWO web pages for an interface: The primary interface shows ONLY a list of "good ips" which can be added to or deleted from. Any desk jockey can handle it. Even "The Boss". The remote interface is just a login to allow remote access, and requires a special link to gain access to it. Once installed anyone can manage DGG, no technical expertise required. And to date: No brute force attacks reported and NO entire offices locked out because one idiot tried the wrong password. We created it back when we had clients calling daily (new clients!) who were being attacked from Russia and China and could not conduct business. DGG resolved that issue immediately upon installation. (Admittedly in some cases where an attack was already underway we had to mitigate the attack before the nightly reboot, at which point the attacks just "stopped" because DGG causes the server to appear "gone" ... but some of the already running attack scripts would continue to attack for the remainder of their scripted schedule on that first day.)

And once installed, we've never had a support call to fix DGG. pfSense, on the other hand, has had a huge number of support calls. Generally the advice of "try it again WITHOUT pfSense" causes "happy clients". Plus, it's free just like fail2ban and pfSense. Hard to beat.

Don't get me wrong, pfSense is a powerful and useful tool. But that does not make it the best tool for this purpose. LOL

Thank you!

Thank you williamconley
I will use the DGG, I will implement to keep safe
The reality of my topology is that I use a Mikrotik RBoard and the WAN port is on Bridge with the port of vicidial server. I use the Bridge Filter is good. And the Fail2ban on server but have some services active (asterisk, ssh, apache2, ftp...) but is not all....
On wan we have more port that are bruteforce, hostname that the fail2ban not do nothing...

For this I must to know if any one use customize firewall to protect the server with public IP.

for me is not the best way to use Prepared Devices as PFSENSE

Thank you Biagio

If you have a brute force attacker on a public IP, DGG is your answer for a Vicidial server. Never allow PUBLIC access to the Vicidial server. Whitelist ONLY.

gservices wrote:Hello,
I have one server vicidial with public Ip and with one ethernet card only.

Every time I must check the firewall and the traffic because I find more bruteforce hacking my server and make more traffic on my network card.
yesterday I find some Ip that make traffic on my port 123
What is the best way to config the firewall and what port I need to leave open and what I need opeen to got services from the wan.

When I say to got services are more port for egx: DNS, NPT, and what Protocol

Have any one server with Ip public, or anyone that have his server in datacenter or hosting anywhere?

There are few ways you can address this, but I strongly recommend getting mid range network appliance and configuring it to secure your server. If cisco is too complex get something like Zyxel, you can easily fit in to $200 budget(assuming you have small-mid size deployment)

As some forum members already pointed out - it is very bad practice to keep your server publicly accessible. Access should be issued ether via VPN or whitelist and only on ports needed for vici.

Having external firewall insulates your deployment, offers greater stability and can protect from larger verity of attacks.

If networking is not your thing, William mentioned another option - Dynamic Good Guys. Its a system that manages IPtables with ability to login using web interface but on separate port, after login, IP is added to "good guys" list and you have full access.
I have seen this system in action, it is a good solution if no network is available.

Thank you, proper
I know now to use "GOOD GUYS" and I will implement in news server.

Now I am using fail2ban, that ban 5 ip every days on ssh, but in apache I have not see any banned and other services.

But I have Mikrotik with interface on bridge and config Bridge Firewall. One month ago I find attach on port 123 protocol udp, I bllock with Filter Rule.
I can see all attach on Torch>Mikrotik

Thank you!