Can someone share their Firewall script

vaibhavs

Joined
Oct 2, 2009
Messages
95
Likes
0
Points
0
#41
Is there any way to check how secure is my firewall from an external server -- may be my server hosted elsewhere or any online tool or service ?

Thx
Vai
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#42
@Vai,
I'm surprised that the private IP worked and the public IP did not; you aren't using a VPN, by chance, are you?

There are remote port scanning tools to check your security; however, most of the ones running from websites are required to be requested from the host you're testing. In short, that means you won't be able to request them from your Asterisk server unless you've got a browser installed (and therefore some sort of X Windows app).

There is one that I know about which is very basic, yet works pretty good and can be run from a remote host. For that try:
http://www.mxtoolbox.com/PortScan.aspx

Alternatively, download a port-scanning tool and run it from a remote host (eg a friend's computer, etc).
 

vaibhavs

Joined
Oct 2, 2009
Messages
95
Likes
0
Points
0
#43

rollinsolo

Joined
Feb 11, 2009
Messages
279
Likes
0
Points
0
#44
Dicko do you use hardware routers for any of your Elastix Servers, or do you have them connected directly to the internet and IP tables takes care of the rest, if so then do you use a switch from lets say a cable modem and then send them to appropriate devices or firewalls. Just curious of your best practices. I know Elastix can issue DHCP but I have never used it that way, I always got it from the router. Thanks.
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#45
@rollinsolo -
Using the asterisk box for your DHCP couldn't be easier. I'm a complete linux newbie, and I still believe its a 5 minute task.

As far as using hardware firewalls; know that your only two options (hardware versus integrated) are not the only options you have. Another option is using a VM (virtual machine) and running a Linux firewall on one of the machines.

In other words, imagine you have two servers, one which is a firewall with two NIC's and one which is asterisk. This same thing can be done on a single box, using free virtualization and free Linux firewalls.

There are many firewalls available that are every bit as powerful/more powerful than conventional Cisco boxes. Take a look at Vyatta, go to their vidoe's page, and watch the video on virtualization (running a firewall on the same box as another server, completely independent of each other).

And if you do try something like this, post your responses back, so that we can all help each other develop a more secure platform :).
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#46
As liniux firewall base distros you can try: ipcop, ebox, endean, etc...

Regards,

RAfael
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#47
Usually they are behind customers' firewalls some smaller deployments are "standalone", but I feel that every bit helps so yes I use iptables for a static traffic filter, then let ossec and or fail2ban add the dynamic aspect to the basic iptables setup. DHCP is delegated to whatever the customer dictates they just need the 66 option set (and 150 etc. if they have ciscos) if you use tftp type provisioning.

You should definitely look at the CSF thingy ramoncio posted about, after you get your head wrapped around the config files and the read me text (and add the webmin plugin) you should be up and running in just a few minutes.
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#48
@Rafael - There are a bunch of good options he can try, pfSense is very popular as well, although I ran into limitations the last time I used it in a semi-complex setup about 2 years back.

The reason I recommended Vyatta, was particularly for the videos on setting up a firewall on a VM through a virtual network interface. This is a truly beautiful solution, and it can even be done with a single NIC, yet truly act as a 100% separated system on a virtual switch off the back of the firewall. Their videos are extremely helpful to someone who has never considered the concept.

On CSF, I tested it and it's really neat. Essentially, if I had to summarize, I would say that it is:
1) A system monitoring/notification tool (cpu, logins, files, folders, etc)
2) An iptables dynamic generation tool (user must be hands-off with iptables)
3) A log monitor / notifier

For those that do not want a cPanel/etc setup, the configuration file (csf.conf) is very well written and with about 1 hour, you can go through all of the options and test everything to your liking. In my humble opinion, it's more prudent than going through a GUI.

One really nice feature, is the ability to constantly monitor "Dynamic DNS" registrations, and add the ever-changing IP to iptables. Using this, you can lock your ports down 100%, and open them only for recognized hosts. There are obviously some tradeoff's with that approach, but it is a nice feature to have available.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#49
Just musing here, but I suggest that each of these proposed solutions are ultimately a front end to iptables (apart from the skeletal and I suggest incorrect backend iptables suggestions), which has been built into the kernel for donkeys years, and is certainly in Elastix since long ago.

the output of

netstat -nat|grep -E "LISTEN|ESTABLISHED"

will identify all your TCP servers

ultimately and by whatever method you choose, iptables should allow or deny each and every one of these ports to and from each and every acceptable host/network according to your needs.


the output of

netstat -nau

will show you the current state of your UDP connections, these also need to be examined and decided whether you want to allow them or not, and to/from whom .

I doubt whether any of our boxes will be the same so there is no "generic" recipe, do you have http, https, hylafax, tftp, dns, ntp, rpc SAMBA (I hope not!!) webmin., X11, vnc, mysql etc. accessible from outside your local network, Are you sure you need all, that crap , if so needed, are they appropriately restricted as to where on the innertubes. SIP and IAX2 is generally easier to decide as the ports are well defined and all you need is let your VSP and external clients have that access by (specific IP or smallest network if unknown)

So again please use whatever tool suits but more so, PLEASE understand what you are doing, any ill considered set of rules will only give you a false sense of security.

Look at CSF, fail2ban, ossec and the other dynamic iptable rewriters that can save your whole day, but be aware that until you tune them to your environment they will be largely noisy (or completely quite if you use the default reporting methods) and likely ineffective.

In any case please let us all be aware that if we FU any of the above, we are still hosed!!, so please look at rkhunter and other system verification methods for knowing when its time to go into "oh-shit!" mode.

Lastly, without an effective image of the state of your machine from before it was compromised will also REALLY spoil your whole day (remember that oh-shit! thingy) , please do that tomorrow before you you do anything else (I recommend mondoarchive), and please remember to do it every <insert_your_level_of_temporal_inertia_here> days.


JM2CWAE

dicko
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#50
Great info Dicko.

A couple points: the Vyatta solution I had mentioned is a true firewall and completely unrelated to iptables. That's the reason I presented it as an entirely separate choice.

You mentioned that people should also run something like Rootkit Hunter, which is a great point. On the topic of the CSF tool mentioned by one of the admin's, I believe it covers most of what Rootkit Hunter does as well (that's what I was touching on with regard to "system monitor").

I'm not sure it accomplishes 100% of the features, but from Rootkit Hunter's bullet-point list, it looks to be very similar (eg- md5 hash compare, watch for rootkits, files with other nefarious issues, etc).

On a separate note... You mentioned MondoRescue for backups, which I'm running now (what a pain it was to set that up, with all of the version errors/etc).

I'm considering giving another "snapshot" backup a try, because I've read some good things about alternatives. Do you have any experience with any of them? For example:

PartImage (open source, snapshots, bare metal restores)
http://www.partimage.org/Main_Page

R1Soft (free tool providing the user chooses not to buy the incremental add-on)
http://www.r1soft.com/tools/linux-hot-copy/features/

Thank you in advance!
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#51
You are welcome, so more musing.

Vyatta:

apparently slioch disagrees with you :)

http://www.vyatta.org/forum/viewtopic.p ... eb71d2206e

rkhunter v. csf (more correctly lfd):

". .lfd uses a simple md5sum match from the output of "ls -laAR" on the entry and
# so will traverse directories if specified. . ."

LF_INTEGRITY ON will do a little more on the well known files but rkhunter is much more granular and thorough (and takes a lot longer to run). As I said before the more the merrier when it comes to security and all these are pretty "light weight" on a well dimensioned server.

I suggest you create csfpost.sh with the contents something like /etc/init.d/fail2ban start (don't forget the corollary csfpre.sh ) to continue to use fail2ban for all it's own postfix,ssh, httpd (don't forget to add the ssl_error_log jailand enable the postfix jail in an Elastix deployment), asterisk monitoring (modify to suit whatever you use for your sip IDS etc. and obviously my choice is fail2ban)


mondoarchive:

I never had any problems installing or using it by way of the rhel5 .repo file (you just have to "yum install" it and then immediately "yum update" it).
and it lends itself to a Friday, last day of the month (that should get you thinking as it is now February in a leap year ;) ), whatever suits, cron job something like:-

LOCALBUDIR=<some usefully mounted partition/device>
/bin/nice -n 19 /usr/sbin/mondoarchive -OVi -d $LOCALBUDIR -E "/var/lib/asterisk/backups \
/var/spool/asterisk /usr/src (oops busted myself here :) ) " -s 4700m -p "`hostname`_`date +%Y.%m.%d.%H.%M`" > /dev/null

and then an rsync of the resultant .iso off-site. A more occasional mondo onto a USB stick can be either useful or disasterous (if in the wrong hands and those hands did the BIOS thingy).

clonezilla and all the partimage based solutions require significant downtime, mondo does a very efficient job while keeping a production server online, who knows when you will need it, we all FU sometimes.


R1Soft is possibly an alternative, I never stumbled on it before, perhaps a more robust solution might be heartbeat/drbd if you have the resources (physical, temporal and cranial) , it works well but isn't really part of this discussion.


As to bare metal restore you can't beat mondorestore (which is better done in Centos after an export TERM=vt100. ) for moving between completely alien hardware, just gotta know the ins and outs of raids, lvms,partitioning, labeling (remove it), /etc/fstab and mtab, grub.conf and mkinitrd. But again that's not really part of this discussion either.

So I remain with mondo for all my VOIP boxes. And Arno's firewall if the VOIP box is multihomed and the only QOS/firewall in sight.

YMM(OC)V and JM2CWAE

dicko
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#52
Dicko -
That was a lot of really great info, thank you! I had read some time ago that Vyatta was not using IP tables, but perhaps the more accurate term was that it was using a fork (although I'm not even sure if that is true, just trying to reconcile with the info you pointed at, directly from the source!)

On the topic of backups, Mondo had some funny issues with CentOS and yum. I probably spent 16 hours getting it all straightened out (ugh), and eventually had to build the RPM's. Now, being a Linux newbie, and considering all of the dependencies/versioning requirements, it was stressful. However, that's how I learn, I guess. Most of the issues were related to afio, buffer inconsistencies. I'm going to post a tutorial for other newbies in a new thread, now that I think about it.

My idea behind a simpler backup, however, was more to be able to quickly restore to a new VPS/hosted server. For example, using something like linode.com, where I simply set the system to mount to my image. For my unique purpose, this is the ultimate form of backup because I'll never be in the same room as my hosted asterisk servers, and I need something I can simply "mount and go" without inserting a CD. Maybe the solution is an lvm-snapshot with dd, I'm not sure. I've tried researching this, but I just don't have the knowledge to appreciate the fundamental issues.

Back on topic... Regarding firewalls and locking-down systems... As it's said, using SSH keys is one of the more important things to do when locking-down a system.

So installing an SSH-key-pair between CentOS and Putty was very easy and worked great. I've read that the same public key can be used on multiple servers, with the same private key on my client.

"Great!" I thought, I'll just setup my second Asterisk server to match!

I'm running two identical Elastix/Asterisk/CenOS boxes, each with a different hostname. The first SSH key installed fine. I moved the id_rsa.pub file over to the second server and pushed it into authorized_keys, set permissions, reloaded SSHD, etc ... Then ... Upon SSH'ing into the second server, I could not get it to accept the known-working, matched private key.

Upon further inspection, I noticed the hostname (of the first system) is located at the end of the id_rsa.pub (public key file that gets entered into "authorized_keys"). Funny thing is, that although this seems to be the default behavior in CentOS ssh-keygen, many other keys I see do not have the hostname shown at the end.

I tried removing the hostname (since most pub keys don't appear to have it), altering it to match the hostname on the second host, etc. But none of that worked. Maybe I need to change some sort of hash-matching algorithm or something?

So here's the question: if we lock down SSH, and we want to use a consistent set of key-pairs for all of our servers (one private key on our client, that public key replicated to each of our servers) ... how do we get the public key to work on our other servers, without having to maintain several different key-pairs? Everyone claims it can be done, yet nothing is really said about why this hasn't worked out of the box.

To be sure I've provided all of the details ... I'm using "ssh-keygen -t rsa" to create the keypairs, from this awesome CentOS page on securing systems (something anyone reading this thread should review, if they're as green as myself): http://wiki.centos.org/HowTos/Network/SecuringSSH

I'll tell you, this is becoming one very valuable/interesting compilation of security considerations for Asterisk. Hopefully it indexes well in Google!

Thanks again for all of your great insight!
-Rkm
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#53
sshd:

I found , stole and hacked a script from some unknown clever bastard out there a long time ago, (dsa is generally preferred over rsa)

--------------------------------------------------------------------------------------------
#!/bin/sh

KEY="$HOME/.ssh/id_dsa.pub"

if [ ! -f ~/.ssh/id_dsa.pub ];then
echo "private key not found at $KEY"
echo "* please create it with "ssh-keygen -t dsa" *"
echo "* to login to the remote host without a password, don't give the key you create with ssh-keygen a password! *"
exit
fi

if [ -z $1 ];then
echo "Please specify user@machine as the first switch to this script and port sshd is running on as second switch"
exit
fi

echo "Putting your key on $1... "

KEYCODE=`cat $KEY`
ssh -p $2 -q $1 "mkdir ~/.ssh 2>/dev/null; chmod 700 ~/.ssh; echo "$KEYCODE" >> ~/.ssh/authorized_keys; chmod 644 ~/.ssh/authorized_keys"

echo "done!"


----------------------------------------------------------------

Mondo: (and with regard to your other post)

wget -P /etc/yum.repos.d/ http://mondorescue.muskokamug.org/rhel/ ... scue.repo; yum -y install mondo; yum -y update mondo

is a "one-liner" that will resolve all your dependencies and get you up and running in a twinkle.

dicko
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#54
Ahh... If I had only known about the repo, and the method to add it to yum, all of my problems would have been solved! Just one note about your script -- after the first command, wouldn't it be a "yum -y install mondorescue" and "yum -y update mondorescue" (based on the repo name you added)?

UPDATE: I just checked my logs and realized that I did find a working Mondo yum package, but that it wouldn't work either. Also, the yum package was about a year behind the actual mondo/mindi stable releases, for some reason.

Regarding the technique to move a public key to another server... That script doesn't look like it will address the issue I had mentioned, right? Or were you suggesting the fix is to use dsa rather than rsa?

I just realized the hostname at the end is not the problem, it's simply a "comment" which I can override with the -C switch. However, I still can't figure out why everyone says one key pair can be used with multiple servers, and I can't get it to take despite everything being setup identical.

Have you been successful in using one public key across multiple servers?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#55
you could try yum search mondo to see what's available in that repository, I believe that mondo is correct but I suffer from CRS.

ssh: think of them as "key pairs" not "key clusters"

The script I supplied works fine for me, dsa is more secure than rsa, I would suggest that using the same private key on multiple machines would not really be considered a "success" if that key is compromised then all your machines using it are compromised at that instance. The hostname is there to determine which key is associated with which machine, multiple keys for the same machine could well mess you up, I would delete them all and start over.

dicko
 

RKM

Joined
Feb 1, 2010
Messages
36
Likes
0
Points
0
#56
I think I was not explaining well. I am using a *single* key pair. I am using the public key on both servers. On the server where it was created, it works fine. On the other server, it does not.

I spent quite awhile looking for more info, but nothing on this topic -- it's just supposed to work. After further inspection, it looks like the way Putty handles the private key side might have something to do with it.

With that said, choosing the dsa type worked great. For others stumbling on this thread through google, here's a quick list:

Code:
Create keygen file 
   ssh-keygen -t dsa -C "" 
   (type = dsa ... comment = none)

Set permissions on the newly created directory/file:
   chmod 700 ~/.ssh
   chmod 600 ~/.ssh/id_dsa 

Insert the key file into the authorized keys file, then set permissions:
   cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
   chmod 600 ~/.ssh/authorized_keys

Restart SSH:
   service sshd restart

Delete keys for added security 
(would be a bad idea to leave the private key on the server!):
   rm ~/.ssh/id_dsa.pub -f
   rm ~/.ssh/id_dsa -f
Also of note, use PUTTYGEN to convert private key to Putty's *.ppk, and use that. And you're good to go!
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,886
Members
17,564
Latest member
Mai Tuyen
Top