vicidial.org

[orisolo]

Hi Guys,

I was using CSF firewall to secure elstix installations.
I need now to secure a vicidial-goautodial box and though thinking it should work the same as Elastix I wonder if anyone have experience with CSF.
The main reason i like CSF is its ability to white list DDNS domain vs only IP this way if my remotes are changing their IP it is white listed again within the script time frame (I use 5 minutes).
With elstix installation is a breeze...

Can anyone tell if he had good experience with it?
Or bad experience and why not to use it?

It is involved in installing webmin and then CSF as a service.

I find it easier to use with the UI then using CLI with IPTables.
Also the DDNS feature is important to me as it does reduce support time when remote is getting new IP for what ever reason.
DDNS is also important to me as i travel and my IP is constantly changing.


Thanks for the input.

[williamconley]

If you are using GoAutoDial and have experience installing Webmin Modules, I see no reason why you would have a problem. Especially since you are familiar with the challenges regarding Asterisk as opposed to a simple web server.

Publish your findings here upon completion. Who knows, Gardo may put Webmin and your CSF module in as a security feature for future editions of GoAutoDial. It sounds like a good addition.

We built a simple web interface for a whitelisted iptables configuration, but it does not (at present) support DNS lookup, certainly not on a 5 minute cycle. Sounds good.

[orisolo]

OK, ill give it a try.
I think it should work.
CSF is firewall and fail2ban in one package (though not called fail2ban)

Here is an article on how to do it on elastix.

("Your post looks too spamy for a new user, please remove off-site URLs.")

oh well... run Google search on elastixconnection. com "installing csf firewall"
(maybe an admin or other user can dig and post the link for the community)

I think it should be pretty straightforward as we are talking about asterisk where vicidial is the "Wrap around" and probably should not have problem with CSF.

Time to create backup and see how it goes.
Ill post success/fail when done.
Wish me luck

[orisolo]

I found the correct name for CSF "fail2ban" feature its called LFD (Login Failure Daemon).

"CSF is generally considered a more advanced firewall as there are more configuration options compared to other firewalls, while still being simple enough to install and configure that even novice administrators can use it. This article will give you a simple overview about how to install and configure CSF and its security plugin LFD (Login Failure Daemon)."

[williamconley]

After you have it installed and configured and working ... post instructions and a your experience notes. Then it'll be here for others and for you when you need it again. And perhaps Gardo will use it (and perhaps others will improve it if it has any flaws!)

[orisolo]

Sure, I will.
I'm currently in the process of creating an image.
I'm using Mondo Rescue for the image creation.
If webmin and CSF will be a complete mess. (im not expecting that)
Then i can always "reset".
Its good to have a fall back plan just in-case.

[orisolo]

I forgot to mention, Im remoting to the server.
I probably use clonezilla if have physical access. (I think its faster)

[williamconley]

You don't like G4L (Ghost for Linux)?

[orisolo]

Now it get important so here is what is running:

Hardware: Dell 830 server
Dual quad Xeon processor with 8GB
GoAutoDial VERSION: 2.4-309a BUILD: 110430-1642

Ok, i followed the installation as listed in the doc.
http://www.elastixconnection.com.au/index.php?option=com_content&view=article&id=112&Itemid=120

Pretty ez everything worked out of the box.
I now scan my ports and they are not showing.
The server is completely blocked unless IP is allowed.
I did allow my local network (i.e 192.168.1.0/24)

Im not sure how to hack CSF so my only testing ware open and close ports and then scan from online scanner.
*my IP was allowed so i dont get locked out i'm remoting to the box that is 1000 miles away)
All test showing the port available or blocked according to my settings in CSF.

DyDNS is working and that is the mai reason to use CSF accept that it is very good and robust.
I configured the DyDNS to check every 300 sec (5min).

I setup in DYDNS for my office, home and cellphone.
Cellphone is the biggest issue as IP are changing all the time.

I'm not a LINUX, ASTERISK or VICIDIAL guru, My knowledge is very limited compare with others on this forum.
I think one of the mods/guru's should look into it, test it and maybe consider recommending to others.

Please take my experience with a grain of salt, make sure you get educated, test, know what you are doing and only then deploy on production server.

I already deployed it on a production server (yes, i had Romanian IP running calls through me (I believe it was the mysql port open) I didn't find any trace of hackers in my root of the box so i think CSF will be enough to move their energy to someone else

I will closely monitor it for any hackers and if i see them back then I will have to re-install the box over the weekend

If you do experiment and or deploy CSF please share with the community (This thread is a good place to start).
Thank you

[williamconley]

Excellent post back.

Was it necessary to install webmin before CSF (or was that part of the install? or was it already in GoAutoDial?)?

[orisolo]

Yes, CSF is seating as a service in webmin. At least if you need a gui.
I didnt read enough maybe it can work via CLI without webmin but gui make it so ez.

So far the last few hours in production and no sign for un authorized leaching hackers.

If you guys suffer from DDNS there is a built in just need to enable (i didn't yet)
You can block bt country IP and Spam lists IP's
This is in LFD

Code: Select all

###############################################################################
# Copyright 2006-2013, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# This file contains definitions to IP BLOCK lists.
#
# Uncomment the line starting with the rule name to use it, then restart csf
# and then lfd
#
# Each block list must be listed on per line: as NAME|INTERVAL|MAX|URL
#   NAME    : List name with all uppercase alphabetic characters with no
#             spaces and a maximum of 9 characters - this will be used as the
#             iptables chain name
#   INTERVAL: Refresh interval to download the list, must be a minimum of 3600
#             seconds (an hour), but 86400 (a day) should be more than enough
#   MAX     : This is the maximum number of IP addresses to use from the list,
#             a value of 0 means all IPs
#   URL     : The URL to download the list from
#
# Note: Some of thsese lists are very long (thousands of IP addresses) and
# could cause serious network and/or performance issues, so setting a value for
# the MAX field should be considered
#
# After making any changes to this file you must restart csf and then lfd
#
# If you want to redownload a blocklist you must first delete
# /var/lib/csf/csf.block.NAME and then restart csf and then lfd
#
# Each URL is scanned for an IPv4/CIDR address per line and if found is blocked

# Spamhaus Don't Route Or Peer List (DROP)
# Details: http://www.spamhaus.org/drop/
#SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.lasso

# Spamhaus Extended DROP List (EDROP)
# Details: http://www.spamhaus.org/drop/
#SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.lasso

# DShield.org Recommended Block List
# Details: http://dshield.org
#DSHIELD|86400|0|http://feeds.dshield.org/block.txt

# TOR Exit Nodes
# Details: https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#TOR|86400|0|http://exitlist.torproject.org/exit-addresses

# BOGON list
# Details: http://www.team-cymru.org/Services/Bogons/
#BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# Project Honey Pot Directory of Dictionary Attacker IPs
# Details: http://www.projecthoneypot.org
#HONEYPOT|86400|0|http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# C.I. Army Malicious IP List
# Details: http://www.ciarmy.com
#CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# BruteForceBlocker IP List
# Details: http://danger.rulez.sk/index.php/bruteforceblocker/
#BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# Emerging Threats - Russian Business Networks List
# Details: http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork
#RBN|86400|0|http://rules.emergingthreats.net/blockrules/rbn-ips.txt

# OpenBL.org 30 day List
# Details: http://www.openbl.org
#OPENBL|86400|0|http://www.us.openbl.org/lists/base_30days.txt

# Autoshun Shun List
# Details: http://www.autoshun.org/
#AUTOSHUN|86400|0|http://www.autoshun.org/files/shunlist.csv

# MaxMind GeoIP Anonymous Proxies
# Details: http://www.maxmind.com/en/anonymous_proxies
#MAXMIND|86400|0|http://www.maxmind.com/en/anonymous_proxies

[gardo]

This is pretty handy and neat. A more dynamic way to secure your box via IPtables. Thank you for posting this.

[williamconley]

Webmin especially would make a good addition to GoAutoDial if it is not in there already. This would be a great excuse.

Also have a look at the functionality of Usermin (an add-on for Webmin to allow it to be used for all sorts of "user level" features such as email ...). It can be used to allow specific users access to specific items while blocking them from major webmin functions. Like a button to edit any file on the server, for instance. We used it extensively when we were installing Trixbox machines.

viewtopic.php?t=15205

[orisolo]

I will give it a look, i never played with usermin before.
I went away from Trixbox few years ago since they started charging and changing the "game"
My favorite lately is Elastix.
Elastix also has a user level built into its gui which i use a lot, very ez just tick the box and your are done.
Dont do many phone systems anymore just a few here and there.

Like i said above the most important for me is DyDNS since I'm moving a lot and almost all my boxes are remote or a long drive.
Thank for the tip.
Have a great weekend

[ger1966]

Since I started using Xtables-geoip I have no more pain:

For Vicibox 5.03
rpm-i http://ftp.uni-erlangen.de/pub/mirrors/ ... .3.src.rpm
rpm-i http://ftp.uni-erlangen.de/pub/mirrors/ ... .1.src.rpm

iptables -I INPUT 2 -m conntrack --ctstate NEW -m geoip ! --source-country DE -j DROP ### prohibit any traffic except Germany
iptables -I INPUT 1 -s 77.72.174.132 -j ACCEPT #### allow traffic from Sip Provider (sip.voippro.com)
iptables -I INPUT 1 -s 127.0.0.1 -j ACCEPT #### allow internal Traffic

KInd Regards
Thomas