vicidial.org

[kamirie]

Good Day,
I practiced installing goautodial to my vbox and have this questions before i push through to an actual installation.

Can i ask how can i change the index.php of goautodial to a simpler one and if it's allowed. I saw a set-up like this with goautodial installed and have a normal vicidial web gui where in the index page you will only have a "Admin" and "Agent" links in the middle of the page. Goautodial index page is very good and detailed but as much as possible i would like to hide other server side details that regular user don't need.

Thanks

[williamconley]

The stock vicidial welcome page is likely still there. Try http://SERVERIP/vicidial/welcome.php

Also of note: You can put a brand new file with any design of your choosing with two simple links on it (one for admin/one for agents) and even a nice pretty graphic. Or perhaps just Two Big Buttons. The welcome.php file is quite editable when present, and not a complex file at all. No programming in it, just a few links.

[kamirie]

The stock vicidial welcome page is likely still there. Try http://SERVERIP/vicidial/welcome.php

Also of note: You can put a brand new file with any design of your choosing with two simple links on it (one for admin/one for agents) and even a nice pretty graphic. Or perhaps just Two Big Buttons. The welcome.php file is quite editable when present, and not a complex file at all. No programming in it, just a few links.

Thank you william , you hit it on the spot , and i also want to ask for guidance on how to set http://SERVERIP/vicidial/welcome.php to http://SERVERIP as the default index page will be welcome.php in the vicidial folder.

[williamconley]

You don't, usually. It is far easier to just move the welcome page (or copy it) to the /srv/www/htdocs folder and rename it "index.php". But be absolutely sure your firewall is locked down and your phpMyAdmin folder is locked down as well. Once your home page is a Vicidial login page ... you will be hacked through known exploits if you are not in lockdown.

[kamirie]

Thanks william , i'm not very familiar with IP tables so in our old server i just restrict my ssh to be access through our local ip and turned off root access for it , and disallow access on web gui through apache with this

Code: Select all

<Directory “/var/www/restricted/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 1.1.1.1
</Directory>


i replaced the path with the path i want to restrict and the ip , so our web gui won't be accessed through our public ip. But i also want to block ping and i'm kinda confused with goautodial firewall rule set , i've searched for it and i got response entering it manually to iptables but not in the goautodial firewall gui. Can you help me or give some advice how to block ping with the goautodial firewall.

And also can i limit SIP registration to our local network through SIP template ?

Code: Select all

type=friend
host=dynamic
canreinvite=no
context=default
contactdeny=0.0.0.0/0.0.0.0
contactpermit=192.168.1.0/255.255.255.0
deny=0.0.0.0/0.0.0.0 <<--[color=#FF0000] can i specify my public IP here that is set in the NIC?[/color]
permit=192.168.1.0/255.255.255.0


Is this SIP template entry correct?

Thanks

[williamconley]

While that may be a cool method ... you have still left port 80 open which "invites" attack. Also, for sip registration: If you leave the port open you are inviting attack. Even if the registrations all fail, the attempts will show port 5060 open and registration rejections will mean that there is a sip server .... so more attempts will be made.

And if you "forget" a folder and leave it unprotected (like ... phpMyAdmin ...) you will have a fairly bad problem.

If you want to go that way you can, but I'd advise a pure whitelist version instead. This means that anyone NOT listed as being allowed to interact with your server cannot get a packet in, and will not get a packet back. As far as they know there is no server there. So no reason to attack it.

If you are not sure about the firewall, you can use "iptables-save" to generate a pure iptables "chain listing" which is actually the raw firewall. This contains all the necessary commands to duplicate the firewall and will show flaws (such as icmp packets being accepted ... which is the class ping falls into ...).

If you are managing your iptables in webmin or another tool in goautodial, I'd have to check the method within webmin for accept or reject ping. But I'm fairly sure it's in there. I usually import the firewall from openSuSE when I firewall a centos box. Skip the webmin setup. I've posted that on here a couple times.

Although we are coming out soon with our Ubuntu Vicidial release which will have OpenSuSE on it and will have a ported firewall identical to the yast generated one (except with ping already turned off ... LOL).

[kamirie]

Are you referring to this post?
viewtopic.php?t=16942

I'll try to study and implement this . . thanks

can i just paste that white list to the /etc/sysconfig/iptables allowing my IP? and if that white list won be altered by the goautodial firewall gui

[williamconley]

There should be a more recent version with

-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func

missing. as those were technical giveaways to the existence of a server. Although we never had any issues after installing it ... we found those to "show" that a server resides at the address, so we removed those lines to enter a more stealthy status.

[kamirie]

Code: Select all

# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:120]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
COMMIT
# Completed on Thu Mar 17 11:54:04 2011
# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*raw
:PREROUTING ACCEPT [25890911:4913156736]
:OUTPUT ACCEPT [25089250:4484603070]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Mar 17 11:54:04 2011


is it like this?

[kamirie]

Sorry about this but i tried to paste the whitelist on /etc/sysconfig/iptables then restart my server

after rebooting when i type iptables -L

there is no rules on the iptables . how can i import that whitelist to my iptables .

i sorry i got it back , i execute
iptables-restore < from the file

did i do the right procedure? because i can still ping the server from other pc in my network and when i reboot the server the iptable rules are being flush

Thanks

[williamconley]

after you enter it in the file, edit the file and be sure no lines broke. one line breaking can invalidate the entire file.

if you are not sure, of course, you can use

Code: Select all

iptables-restore < filename

to load rules from any file without a reboot

when in doubt, delete portions of the file until you find the 'offending' command and see if there is a replacement for it (or if it can be omitted, like a logging line). versions vary and commands change ...

beware when doing this: it's only safe if you are sitting at the console. doing this from an ssh connection can lock you out.

[kamirie]

after you enter it in the file, edit the file and be sure no lines broke. one line breaking can invalidate the entire file.

if you are not sure, of course, you can use

Code: Select all

iptables-restore < filename

to load rules from any file without a reboot

when in doubt, delete portions of the file until you find the 'offending' command and see if there is a replacement for it (or if it can be omitted, like a logging line). versions vary and commands change ...

beware when doing this: it's only safe if you are sitting at the console. doing this from an ssh connection can lock you out.

will try . . I've been doing trial and error for the past 2 hrs now with iptables hehe

I have this when i execute iptables -L

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.1.10         anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            state RELATED
input_int  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target     prot opt source               destination

Chain forward_int (0 references)
target     prot opt source               destination

Chain input_ext (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     all  --  anywhere             anywhere            recent: CHECK name: GOOD side: source
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
reject_func  tcp  --  anywhere             anywhere            tcp dpt:auth state NEW
DROP       all  --  anywhere             anywhere            PKTTYPE = multicast
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP       all  --  anywhere             anywhere

Chain input_int (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable


I'm seeing this line that to my understanding accepts all connections
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED

i have this whitelist , did i miss to change something in here?

Code: Select all

# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:120]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s 192.168.1.10 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu Mar 17 11:54:04 2011
# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*raw
:PREROUTING ACCEPT [25890911:4913156736]
:OUTPUT ACCEPT [25089250:4484603070]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Mar 17 11:54:04 2011

[williamconley]

iptables -L doesn't pay attention to all fields (it is pretty, though). But when you have ACCEPT for "lo", it sees that as accept and ignores the lo. Thus "anywhere anywhere". So I never use -L (even though its pretty).

You'll learn to read the iptables-save to follow the chains eventually ... in the meantime, try a portscan from another server (one that is not allowed in the firewall) and see what your results are. If they are not "perfect stealth" (ie: no ports open, no response to any icmp packets), you're not done yet.

[kamirie]

With the settings i posted william , i only allowed 192.168.1.10 (i think) so this is the result of my portscan from 192.168.1.2 , i didn't change anythign yet on that server besides the ip tables whitelist . If i can read it right , there are still open ports that was supposed to be already blocked right? What can i missed on the iptables in this scenario .

Code: Select all

Nmap scan report for 192.168.1.100
Host is up (0.0053s latency).
Not shown: 993 closed ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Mar 30  2011 pub
22/tcp    open  ssh         OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey: 1024 98:3a:ce:88:ae:45:da:f1:37:1c:ec:03:1d:11:45:f8 (DSA)
|_2048 14:f5:8d:a7:89:6a:db:a0:d8:ed:4e:b5:e0:01:d4:06 (RSA)
80/tcp    open  http        Apache httpd 2.2.3 ((CentOS))
|_http-title: ViciDial Welcome
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| http-robots.txt: 1 disallowed entry
|_/
443/tcp   open  ssl/http    Apache httpd 2.2.3 ((CentOS))
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2012-11-12 10:15:28
| Not valid after:  2013-11-12 10:15:28
| MD5:   5470 de76 d03b 4c35 5b60 b2af 96ba 2cba
|_SHA-1: 597c 0945 eaba 8deb 0199 53f2 d2cf 14d9 46e6 f75e
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: ViciDial Welcome
| http-robots.txt: 1 disallowed entry
|_/
2000/tcp  open  cisco-sccp?
3306/tcp  open  mysql       MySQL 5.0.77
| mysql-info: Protocol: 10
| Version: 5.0.77
| Thread ID: 582
| Some Capabilities: Connect with DB, Compress, Transactions, Secure Connection
| Status: Autocommit
|_Salt: g>=X#A`?Z*]xdjhL$iiQ
10000/tcp open  http        MiniServ 1.600 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
| ndmp-version:
|_  ERROR: Failed to get host information from server
|_http-favicon: Unknown favicon MD5: 2D491943946FA8717381E4CEBA9039D9
MAC Address: 08:00:27:89:74:95 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Uptime guess: 0.035 days (since Fri Nov 16 00:20:17 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=203 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   5.34 ms 192.168.1.100


Thanks

[williamconley]

i'm guessing your system has reverted to some prior version of settings because you have a whole lot of ports open. are you sure you didn't "miss" settings in the Advanced?

[kamirie]

i'm guessing your system has reverted to some prior version of settings because you have a whole lot of ports open. are you sure you didn't "miss" settings in the Advanced?

Umm sorry to ask which "Advanced" was it , i used goautodial ce 2.1 installer with this test server where I'm trying to learn to apply a firewall with iptables because I'm having kernel trouble installing vicibox.i686-4.0.1 standard iso to vbox with AMD Athlon II X3 425 with 3 GB of RAM in a windows 7 host.

[williamconley]

Actually, it looks like the eth0 being pointed to input_int is likely the problem. Whatever ethX you are using should be pointed to _ext instead of _int (until you have two network cards and can route one to internal that is unprotected and one to external that is protected).

[kamirie]

Actually, it looks like the eth0 being pointed to input_int is likely the problem. Whatever ethX you are using should be pointed to _ext instead of _int (until you have two network cards and can route one to internal that is unprotected and one to external that is protected).

I think that solved it william , because at the moment i only have a NIC which is eth0 so i change the setting on the /etc/sysconfig/iptables and run iptables-restore < /etc/sysconfig/iptables

Code: Select all

-A INPUT -s 192.168.1.10 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int ##### Change this to input_ext  #####
-A INPUT -i eth1 -j input_ext

Now i have this result on nmap from 192.168.1.2 and can't ping nor access the http://192.168.1.100

Code: Select all

Nmap scan report for 192.168.1.100
Host is up (0.0032s latency).
Not shown: 999 filtered ports
PORT    STATE  SERVICE VERSION
113/tcp closed ident
MAC Address: 08:00:27:89:74:95 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   3.25 ms 192.168.1.100


and an all access with 192.168.1.10 which is defined as a "good guy". So when i set this on a actual server with 2 NICs i just have to identify eth0 and eth1 as of where will i set my local and public IP am i right?

[williamconley]

When you get there, experiment with it and it should be fairly obvious when port scanning using the same method as today.

when you build the 2nd nic, try to remember to put it OUTSIDE your router/firewall. it should have an internet IP address and nothing between it and the world to slow it down ... but be in total stealth mode so you don't get attacked.

[kamirie]

When you get there, experiment with it and it should be fairly obvious when port scanning using the same method as today.

when you build the 2nd nic, try to remember to put it OUTSIDE your router/firewall. it should have an internet IP address and nothing between it and the world to slow it down ... but be in total stealth mode so you don't get attacked.

Yes william , one of the server I'm maintaining have that setup in which one of the NICs has it's own public IP. Now i can implement this whitelist to it.

Thanks