Can someone share their Firewall script

Discussion in 'General' started by vaibhavs, Oct 12, 2009.

  1. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    Hi,

    I have installed Elastix server (ISO install) with full yum update

    I am no expert, but learning my way thru.

    Can someone please share their firewall script ?
    It will help me get a head start and then I can modify rules (if needed) for my network.

    My Elastix server is on a live IP with 5 extensions from our office (192.168.1.x) and 3 different trunks from different providers. SSh is on non-standard port and FTP port is closed. Postfix relay is blocked (standard install).

    Thank you all in advance.

    Best regards,
    Vai
     
  2. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    Firewalling is generally done at the router level, not on the box itself in my experience?
     
  3. Eham

    Joined:
    Nov 16, 2007
    Messages:
    42
    Likes Received:
    0
    I suggest using IPTABLES. It allows you to stick a public IP directly on the box without needing something to NAT or Xlate for you.. ridding NAT traversal.

    My approach is simple... allow traffic originated from the box to the WAN. Deny all inbound connections accept the ones I want. Throw this into a file and sh it, the IPTABLE rules should be saved and load upon reboot of the box:

    Code:
    #!/bin/sh
    # chkconfig: 2345 99 99
    # description: IPTABLES FIREWALL STARTUP
    echo start by flushing the rules..................
    
    /sbin/iptables -F INPUT
    /sbin/iptables -F OUTPUT
    /sbin/iptables -F FORWARD
    /sbin/iptables -F
    
    echo allow packets coming from the machine..................
    
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    
    echo allow established traffic
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    
    #################################
    ## What we allow
    #################################
    
    # Everything from trusted hosts
    echo Accept all from trusted source hosts
    # SOME IP ADDRESS
    /sbin/iptables -A INPUT -s 0.0.0.0 -i eth0 -j ACCEPT
    
    #################################
    ## What we DENY
    #################################
    
    echo block spoofing..................
    
    /sbin/iptables -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
    
    echo stop bad packets..................
    
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    
    echo NMAP FIN/URG/PSH..................
    
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    
    echo stop Xmas Tree type scanning..................
    
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    
    echo stop null scanning..................
    
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
    
    echo SYN/RST..................
    
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    
    echo SYN/FIN..................
    
    /sbin/iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    
    echo stop sync flood..................
    /sbin/iptables -N SYNFLOOD
    /sbin/iptables -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
    /sbin/iptables -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
    
    echo stop ping flood attack..................
    /sbin/iptables -N PING
    /sbin/iptables -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
    /sbin/iptables -A PING -p icmp -j REJECT
    /sbin/iptables -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING
    
    echo finally - drop the rest
    /sbin/iptables -A INPUT -j DROP
    
    echo SAVE CONFIG
    /sbin/service iptables save
    
    echo STOP IPTABLES
    service iptables stop
    
    echo START IPTABLES
    service iptables start
    
    
     
  4. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Eham: May I ask if you find that your posted rule is sufficiently restrictive for you?

    http://rocky.eld.leidenuniv.nl/joomla/

    IMHO would be a good starting point, for a robust iptables script (It's what I use, Thank you Arno)
     
  5. Eham

    Joined:
    Nov 16, 2007
    Messages:
    42
    Likes Received:
    0
    Dicko, You really don't leave anything unturned ;)

    I changed 0.0.0.0 for the purpose of keeping my trusted host ip off of a forum. But yes, anyone wanting to use the above output will need to substitute 0.0.0.0 with a real host IP address. I have several and so far my above IPTABLES example has held up against everything thrown at it. Your mileage may vary, but if you can truly trust the host this will suffice for any VoIP/Web/Hylafax you need to do (at least I've had great success with it).
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Your script only denies a few "well known" exploits and (with respect) even if you had a trusted host plugged in, how then would it accept inbound calls from your various VSP's/external extensions?, or even internal calls as you only have eth0 defined and one trusted IP.

    It is necessary to shape the allow bit to actually be a firewall that meets a VOIP server's needs, you need to allow SIP/IAX2, http(s), email (in and out) etc. and only these to your trusted hosts. Arno's script actually does that restrictively and is a template for adding SIP etc. by port (not IP) and then by host/network as appropriate, you need your VSP's and external extensions allowed, and any external management allowed by host/network.

    This is why there will likely ever be a definitive script for VOIP/Elastix/all the other stuff you added, as each and everyone has a different set of needs.

    regards
    dicko
     
  7. Eham

    Joined:
    Nov 16, 2007
    Messages:
    42
    Likes Received:
    0
    Dicko, there certainly isn't an all-in-one solution. My profession over the last few years has been engineering enterprise soft switches- such as Metaswitch and Genband. Anything public-facing preferably use Session Border Controllers to the signaling gateway (Elastix in this case). Good SBCs (such as Acmepacket and Covergence) will control DDOS floods and most other criteria considered malicious. Anything web facing (portals, etc) are typically behind DMZs such as Cisco PIX or ASA (..Sonicwall, Patton, m0n0wall, PfSense etc etc). Enterprise-grade VoIP will literally cost hundreds of thousands of $USD some in the Millions.

    I posted a request some time ago about OpenSBC integration, in hopes to cover some of the potential abuse from the public internet. Though my IPTABLES example may not be incredibly flexible it is secure. If you can find a way around mine, I will paypal you $5USD personally B)
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    With only one trusted IP allowed through iptables, I still don't understand how people can actually call each other with your script, never mind me making five bucks trying to penetrate an anonymous /32 network that will only accept connections from one other nominated /32 network. Although I must concede that the trusted host can listen to his voicemails to himself and even configure Elastix/FreePBX/Asterisk :)

    I am also a little confused as to why anything "behind DMZs" should be considered particularly secure.
     
  9. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    Following is my IPTables script.
    Critical inputs welcome!

    Code:
    #!/bin/bash
    
    # Clear any existing firewall stuff before we start
    /sbin/iptables --flush
    
    # As the default policies, drop all incoming traffic but allow all
    # outgoing traffic.  This will allow us to make outgoing connections
    # from any port, but will only allow incoming connections on the ports
    # specified below.
    /sbin/iptables --policy INPUT DROP
    /sbin/iptables --policy FORWARD DROP
    /sbin/iptables --policy OUTPUT ACCEPT
    
    
    # Allow all incoming traffic if it is coming from the local loopback device
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    
    # Allow returning packets
    /sbin/iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    
    # Allow incoming traffic for web server
    /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    
    # Allow connections to port 2222 - ssh. You can add other ports you need in here
    /sbin/iptables -A INPUT -p tcp -i eth0 --dport 2222 -m state --state NEW -j ACCEPT
    
    # Allow icmp input so that people can ping us
    /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
    
    # Allow SIP connections
    /sbin/iptables -A INPUT -p udp -i eth0 --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -i eth0 --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -i eth0 --dport 10000:20000 -j ACCEPT
    
    # Allow connections from my machines
    # /sbin/iptables -A INPUT -p tcp -i eth0 -m state --state NEW -s xxxxxxxx -j ACCEPT
    
    # Check new packets are SYN packets for syn-flood protection
    /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    
    # Drop fragmented packets
    /sbin/iptables -A INPUT -f -j DROP
    
    # Drop malformed XMAS packets
    /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    
    # Drop null packets
    /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    
    # Log then drop any packets that are not allowed. You will probably want to turn off the logging
    #/sbin/iptables -A INPUT -j LOG
    /sbin/iptables -A INPUT -j REJECT
    
    
     
  10. Eham

    Joined:
    Nov 16, 2007
    Messages:
    42
    Likes Received:
    0
    It's all about convention, and my convention deals with trusted endpoints that have static IPs, with multiple trusted endpoints added to the IPTABLES permit (my example has just one but add as many as you need). My deployment consists of the Elastix box with a SIP trunk to the Class5 softswitch trusted IP and a few other endpoints for the IP phones. I don't trunk to other Elastix boxes or have dynamic users.. I let the softswitch take care of those (the company I work for as invested in it, so why not?) This doesn't help roaming users or users that don't have the luxury of a static IP as you well know.

    I used to allow 5060 and RTP ports open everywhere until someone got a hold of a x-lite softphone config file and ended up making fraudulent call campaigns via my Elastix box. Now you know why I lock mine down so tightly :woohoo: The Softswitch vendors recommend DMZ at minimal, I personally use XLATE over a pair of High Availability Cisco Pix. If anyone is interested in a simple Pix xlate config I can post it here. Dicko, I would pay you $5usd for being a great patron of the Elastix community, and as you said there's not much chance for penetration on the above said IPTABLES code, which is exactly my goal (and thus your mileage may vary).

    I'm glad this security topic has been brought to life, as it is a tremendous liability. I would like to see additional security measures implemented into Elastix (such as removing root login, OpenSBC or a basic firewall GUI) for the sake of simplicity and wider use.
     
  11. Eham

    Joined:
    Nov 16, 2007
    Messages:
    42
    Likes Received:
    0
    Code:
    # Allow SIP connections
    /sbin/iptables -A INPUT -p udp -i eth0 --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -i eth0 --dport 5060 -j ACCEPT
    /sbin/iptables -A INPUT -p udp -i eth0 --dport 10000:20000 -j ACCE
    
    That works well but use caution.. If some unauthorized person gets a hold of a config (such as x-lite in my instance) this won't protect you. I suppose that's a given.
     
  12. vaibhavs

    Joined:
    Oct 2, 2009
    Messages:
    95
    Likes Received:
    0
    You are right Ehan!
    At this time, my only protection is non-typical extension secret.
    I should allow 5060 & 10000:20000 from selected IPs (as provided by service providers).
     
  13. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Whilst I agree that any form of protection is better than none, I would point out that an ill crafted IPtables can give the user a false sense of security, if there are glaring holes in it.

    At a minimum I would suggest allowing 127.0.0.1 and your localnet 192.168.x.y/24 to save a whole bunch of host lines and the maintainance of them as you add and move extensions.

    For SIP attacks I suggest that you

    a) heed all the warnings about weak passwords

    b) use an updated Asterisk (> 1.4.25) and add alwaysauthreject=yes somewhere appropriate in sip*.conf.

    c) Install and personalize fail2ban (I posted a script here on this forum a while back), this will watch your logs for suspicious asterisk behavior and dynamically ban the attacker for a configurable amount of time with iptables. t also watches /var/log/secure and by default access_log (you need to add ssl_access_log for Elastix) and a few other service logs that are prone to attack.

    For general behavior ONLY allow specific hosts/networks to get to 80/443 as there are far too many holes in Elastix' current server if you have not changed far more passwords than you think you need to. ( try http(s)://<IP-ADDRESS>/admin with admin/admin or http(s)://<ip-address>/recordings with admin/password credentials, to test your own box)

    For more general security do as vaibhavs and change the ssh port in /etc/ssh/sshd.conf, while you're in that file deny root login and setup a non privileged user to get in.

    chkconfig vsftp off unless you use it

    chkconfig --list|less to see what else is running and do the same to all services you do not need.

    I would point out also that the tftp serever on port 69 is also a glaring hole in many implementations as it is particularly insecure by design and /tftpboot often contains some very compromising information in many "well known file names"


    Install OSSEC, there is a freePBX add on to help you monitor it's behavior, this works similarly to fail2ban but is far more ubiquitous in it's scope. (expanding it's rules while looking at /var/log/asterisk/full would make fail2ban's asterisk watching redundant the same could be said for fail2ban's other modules)

    Both will email you (once configured) with any noted aberrant behavior.

    Install rkhunter to investigate your system regularly for unauthorized changes.

    For the CLI challenged there is a firewall module in Webmin that will help you build your iptable rules, but please change 10000/TCP to something else in /etc/webmin/miniserv.conf and do a chkconfig webmin off before using webmin, (start the service manually when you need it).

    As a word to the wise a rock solid backup regime is imperative, to save your hair, if or when your machine is compromised or your hard drive goes south, or you accidentally type rm -fr / (not all "attacks" on your system come from without)

    Again, and with due respect to all, I suggest my original reference to the Arno Firewall is a far more robust starting point than anything I have seen here yet. Personally I would add another eth to your setup as then you can treat your LAN side differently from your WAN side security wise and save your self all sorts of headaches.

    (pedantically 5060/TCP is unnecessary in Elastix, it's not used.)


    regards

    dicko
     
  14. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    This is a really great thread, thank you Eham for sharing the config.

    I have a related question. As you've mentioned, this approach will not work when the SIP clients/endpoints come from dynamic IP's (broadband connections).

    The way I handled this previously, was using an external firewall/VPN server that maintained tunnels to the SOHO routers at the "branches". In other words:

    Asterisk -> VPN Box -> Internet <- SOHO Router/VPN <- SIP Clients

    Recently, we switched dedicated hosting providers to a company more VoIP-centric, and it's a big hassle/expense to add a colo firewall next to a dedicated box. This leaves us having to figure out a way of using IPTables + an IPSec VPN that can be installed on CentOS (and play nicely with IPTables/Asterisk).

    Are you familiar with any way of going about this?

    Thank you in advance,
    RKM
     
  15. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    Not being a Linux expert, nor an advanced user either, I do not understand the concept of denying ssh root login. Even if you don't log root, you can still su? Are you more limited in that case?

    On my system anyway, I deny login/password login via ssh, and only allow key authentication.
     
  16. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Hi Patrick

    From a security point of view the more the better, the thinking is that every box has a root account, only yours has a non privileged account for .ExampleAdm1n\87, if you use 22 then drive-bys will capture your address for possible later attention, the biggest theoretical advantage is that although you can su to root if you get in that will only work if you are presented with a console (tty) and have a person operating it so many more devious script attacks are forestalled, especially if you change the shell of .ExampleAdm1n\87 in /etc/passwd

    I also prefer keys for security, and recommend all to use them.
     
  17. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    @Patrick,
    The biggest reason for disallowing root to login, isn't to tie their hands if the proverbial hacker is able to get access into your system.

    Rather, if someone is going to brute-force your system, they're going to try usernames that have a good chance of existing. And as dicko mentioned, regarding the port-number, that's not a huge security measure, but will eliminate a large majority of the trolling port-scanners (if you've ever had your firewall logs mailed to you, you'll notice there are tons of trollers just hammering away on the standard ports (21,22,23,SMB & NFS, etc).

    In short, imagine that I want to hack into your box. First, I have to guess a valid username to go about logging-in with. If I knew you were running Elastix, I'd try two very reliable options, that would be valid in 90% of all installs (guestimate). Those are "root" or "asteriskuser".

    Now, if you've changed the names (or disabled root/asteriskuser) from SSH, no matter how many brute-force attacks I make, I won't be able to get the password, since the accounts don't exist or can't login.

    Moving on from that, anyone have any ideas on a method of IPSEC tunneling (VPN) between CentOS and a IPSEC router, in a manner that is Elastix-friendly?
     
  18. RKM

    RKM

    Joined:
    Feb 1, 2010
    Messages:
    36
    Likes Received:
    0
    Okay, to make things easier, for now I'm just going to use a Port Knocking approach to security.

    This will allow me to completely firewall off all admin-related ports (SSH, Web Admin, etc) despite being on a dynamic IP.

    I've got the solution working great with knockd and iptables.

    The question I have, being a Linux newbie, is how to get a daemon to run at startup.

    I can run it as a daemon in the terminal session:
    /usr/sbin/knockd -d

    I added this same command-line (that works above) in the /etc/rc.d/rc.local file. That didn't work.

    I see that rc.local executes fine (based on the touched local), what step am I missing?

    Thank you in advance!
     
  19. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    it should work in /etc/rc.local. You may try to run
    Code:
    sleep 10
    
    after the command so you would have 10 seconds to see the output in the screen and read what is wrong.

    Regards,

    Rafael
     
  20. samv

    Joined:
    Jan 22, 2010
    Messages:
    54
    Likes Received:
    0
    Hi Everyone,

    I am using shorewall. Why your guy don't use shorewall. It very easy to setup easy to understand. How you want to protect your system you can make it easy. I also used hosts control to control the IP that I only allow to connect to my system. I also changed default port 443 to 10000. And used port 443 for my Openvpn. I even allow only the IP I want to brows my first page. In asterisk I also create one fake context for International call. When hacker try to make International call from my system. It will fall to fake context. Then the call will end without go anywhere.

    Thanks,

    Sam
     

Share This Page