Create best Firewall for vici Server with public IP

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Create best Firewall for vici Server with public IP

Postby gservices » Fri Feb 26, 2016 7:32 pm

Hello,
I have one server vicidial with public Ip and with one ethernet card only.

Every time I must check the firewall and the traffic because I find more bruteforce hacking my server and make more traffic on my network card.
yesterday I find some Ip that make traffic on my port 123
What is the best way to config the firewall and what port I need to leave open and what I need opeen to got services from the wan.

When I say to got services are more port for egx: DNS, NPT, and what Protocol

Have any one server with Ip public, or anyone that have his server in datacenter or hosting anywhere?
Vicibox_v.6.0.x86_64-6.0.4| Vicidial 2.12b0.5 | SVN :2553 | Asterisk 1.8.32.3| 4 Servers | WORKSTATION Z400
ViciBox.x86_64-4.0.2.iso | Vicidial 2.6-393a Build 130124-1721 | Asterisk 1.4.44 | Single Server | Intel(R) Core(TM)2 Duo
gservices
 
Posts: 54
Joined: Mon Mar 11, 2013 5:31 am

Re: Create best Firewall for vici Server with public IP

Postby williamconley » Fri Feb 26, 2016 8:18 pm

Look for Dynamic Good Guys in Viciwiki.com
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Create best Firewall for vici Server with public IP

Postby Biagio.Viola » Sat Feb 27, 2016 5:47 am

Williamconley i can suggest PFsense firewall for defend your Vicidial.

WAN-----PFSENSE------VICIDIAL

Vicidial is Contact center system, if you aren't iptable oriented use pfsense.

regards
ViciBox Redux v.6.0.4 | Asterisk 1.8.32.3-vici | Vicidial VERSION: 2.12-538a BUILD: 160122-1401 © 2016 ViciDial Group| Poweredge 1950 CPU 2 x Xeon 3.6 Ghz RAM 12GB HDD 450 RAID1
Biagio.Viola
 
Posts: 5
Joined: Thu Feb 25, 2016 12:48 pm

Re: Create best Firewall for vici Server with public IP

Postby williamconley » Sat Feb 27, 2016 11:30 am

pfSense is a technical tool that is RARELY configured properly for Vicidial, even by those who use pfSense regularly. It also adds a layer of "language/programming" (as now one must learn pfSense in addition to everything else). pfSense modifies iptables, which is the actual firewall. pfSense has an install process and adminstration requirements. It also does not allow for "The Boss" to access the system from Starbucks on her iPad at 2PM while stepping out of the office (random IP access without giving up access to China!).

Fail2Ban (which also modifies iptables), FAILS to block rotating IP brute force attacks but often blocks entire offices when one user screws up.

Dynamic Good Guys (which also modifies iptables), is simple to use and easy to install. It has TWO web pages for an interface: The primary interface shows ONLY a list of "good ips" which can be added to or deleted from. Any desk jockey can handle it. Even "The Boss". The remote interface is just a login to allow remote access, and requires a special link to gain access to it. Once installed anyone can manage DGG, no technical expertise required. And to date: No brute force attacks reported and NO entire offices locked out because one idiot tried the wrong password. We created it back when we had clients calling daily (new clients!) who were being attacked from Russia and China and could not conduct business. DGG resolved that issue immediately upon installation. (Admittedly in some cases where an attack was already underway we had to mitigate the attack before the nightly reboot, at which point the attacks just "stopped" because DGG causes the server to appear "gone" ... but some of the already running attack scripts would continue to attack for the remainder of their scripted schedule on that first day.)

And once installed, we've never had a support call to fix DGG. pfSense, on the other hand, has had a huge number of support calls. Generally the advice of "try it again WITHOUT pfSense" causes "happy clients". Plus, it's free just like fail2ban and pfSense. Hard to beat.

Don't get me wrong, pfSense is a powerful and useful tool. But that does not make it the best tool for this purpose. LOL
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Create best Firewall for vici Server with public IP

Postby gservices » Sat Feb 27, 2016 6:23 pm

Thank you!

Thank you williamconley
I will use the DGG, I will implement to keep safe :)
The reality of my topology is that I use a Mikrotik RBoard and the WAN port is on Bridge with the port of vicidial server. I use the Bridge Filter is good. And the Fail2ban on server but have some services active (asterisk, ssh, apache2, ftp...) but is not all....
On wan we have more port that are bruteforce, hostname that the fail2ban not do nothing...

For this I must to know if any one use customize firewall to protect the server with public IP.
Vicibox_v.6.0.x86_64-6.0.4| Vicidial 2.12b0.5 | SVN :2553 | Asterisk 1.8.32.3| 4 Servers | WORKSTATION Z400
ViciBox.x86_64-4.0.2.iso | Vicidial 2.6-393a Build 130124-1721 | Asterisk 1.4.44 | Single Server | Intel(R) Core(TM)2 Duo
gservices
 
Posts: 54
Joined: Mon Mar 11, 2013 5:31 am

Re: Create best Firewall for vici Server with public IP

Postby gservices » Sat Feb 27, 2016 6:28 pm

for me is not the best way to use Prepared Devices as PFSENSE

Thank you Biagio
Vicibox_v.6.0.x86_64-6.0.4| Vicidial 2.12b0.5 | SVN :2553 | Asterisk 1.8.32.3| 4 Servers | WORKSTATION Z400
ViciBox.x86_64-4.0.2.iso | Vicidial 2.6-393a Build 130124-1721 | Asterisk 1.4.44 | Single Server | Intel(R) Core(TM)2 Duo
gservices
 
Posts: 54
Joined: Mon Mar 11, 2013 5:31 am

Re: Create best Firewall for vici Server with public IP

Postby williamconley » Sat Feb 27, 2016 7:05 pm

If you have a brute force attacker on a public IP, DGG is your answer for a Vicidial server. Never allow PUBLIC access to the Vicidial server. Whitelist ONLY.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20258
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Create best Firewall for vici Server with public IP

Postby proper » Mon Feb 29, 2016 11:49 pm

gservices wrote:Hello,
I have one server vicidial with public Ip and with one ethernet card only.

Every time I must check the firewall and the traffic because I find more bruteforce hacking my server and make more traffic on my network card.
yesterday I find some Ip that make traffic on my port 123
What is the best way to config the firewall and what port I need to leave open and what I need opeen to got services from the wan.

When I say to got services are more port for egx: DNS, NPT, and what Protocol

Have any one server with Ip public, or anyone that have his server in datacenter or hosting anywhere?


There are few ways you can address this, but I strongly recommend getting mid range network appliance and configuring it to secure your server. If cisco is too complex get something like Zyxel, you can easily fit in to $200 budget(assuming you have small-mid size deployment)

As some forum members already pointed out - it is very bad practice to keep your server publicly accessible. Access should be issued ether via VPN or whitelist and only on ports needed for vici.

Having external firewall insulates your deployment, offers greater stability and can protect from larger verity of attacks.

If networking is not your thing, William mentioned another option - Dynamic Good Guys. Its a system that manages IPtables with ability to login using web interface but on separate port, after login, IP is added to "good guys" list and you have full access.
I have seen this system in action, it is a good solution if no network is available.
proper
 
Posts: 50
Joined: Sun Dec 06, 2015 7:25 pm

Re: Create best Firewall for vici Server with public IP

Postby gservices » Sun Apr 03, 2016 11:06 am

Thank you, proper
I know now to use "GOOD GUYS" and I will implement in news server.

Now I am using fail2ban, that ban 5 ip every days on ssh, but in apache I have not see any banned and other services.

But I have Mikrotik with interface on bridge and config Bridge Firewall. One month ago I find attach on port 123 protocol udp, I bllock with Filter Rule.
I can see all attach on Torch>Mikrotik

Thank you!
Vicibox_v.6.0.x86_64-6.0.4| Vicidial 2.12b0.5 | SVN :2553 | Asterisk 1.8.32.3| 4 Servers | WORKSTATION Z400
ViciBox.x86_64-4.0.2.iso | Vicidial 2.6-393a Build 130124-1721 | Asterisk 1.4.44 | Single Server | Intel(R) Core(TM)2 Duo
gservices
 
Posts: 54
Joined: Mon Mar 11, 2013 5:31 am


Return to Support

Who is online

Users browsing this forum: No registered users and 37 guests

cron