A variation on the FusionPBX firewall arrangements

Status
Not open for further replies.

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,383
364
83
It was helping another forum member with some security questions that has prompted me to share this firewall configuration. Please do not use this unless you clearly understand what it is doing.

One of the problems that I saw with the default FusionPBX iptables/fail2ban configuration was that it operates largely on the INPUT chain. Fail2ban inserts rules at the top of the INPUT chain before
INPUT -i lo -j ACCEPT
INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This means that anything using the lo interface and all RTP packets have to traverse all the jails and drop rules inserted by fail2ban before they get accepted.

A common approach that I take is to create chains for specific application groups; a services chain for web and ssh access etc., a sip-services chain for devices, and a gateways chain for my SIP providers. This way I can marshal traffic from the INPUT chain into different chains, I can then get fail2ban to act on these specific chains and not the INPUT chain. It also means that your IP address is less likely to get banned from accessing an ssh session just because you have a misbehaving SIP device.

This configuration requires some changes in /etc/fail2ban/jail.local, /etc/fail2ban/action.d/iptables-common.conf and a new file called /etc/fail2ban/action.d/iptables-sip-services.conf

So lets start with the iptbles rules. The /etc/iptables/rules.v4 file could look something like this:

Code:
# Generated by xtables-save v1.8.2 on Sat Aug  14 20:23:50 2021
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:block-invalid-tcp - [0:0]
:sip-services - [0:0]
:sip-gateways - [0:0]
:services - [0:0]
#
# sip-services chain
-A sip-services -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A sip-services -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A sip-services -m state --state RELATED,ESTABLISHED -j ACCEPT
-A sip-services -j ACCEPT
#
# services chain
-A services -m state --state RELATED,ESTABLISHED -j ACCEPT
-A services -p tcp -m tcp --dport 22 -j ACCEPT
-A services -p tcp -m tcp --dport 80 -j ACCEPT
-A services -p tcp -m tcp --dport 443 -j ACCEPT
-A services -p tcp -m tcp --dport 7443 -j ACCEPT
-A services -j DROP
#
# sip-gateways chain
-A sip-gateways -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A sip-gateways -m state --state RELATED,ESTABLISHED -j ACCEPT
# Provider 1
-A sip-gateways -s 1.2.3.4/32 -j ACCEPT
# Provider 2
-A sip-gateways -s 5.6.7.8/32 -j ACCEPT
-A sip-gateways -j DROP
#
# Block invalid TCP packets chain
-A block-invalid-tcp -p tcp ! --syn -m state --state NEW -j DROP
# Block fragments and Xmas tree as well as SYN,FIN and SYN,RST - invalid combination of the TCP flags
-A block-invalid-tcp -p tcp --tcp-flags ALL NONE -j DROP
-A block-invalid-tcp -p tcp --tcp-flags ALL ALL -j DROP
-A block-invalid-tcp -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
-A block-invalid-tcp -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
-A block-invalid-tcp -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A block-invalid-tcp -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A block-invalid-tcp -j RETURN
#
# INPUT
-A INPUT -i lo -j ACCEPT
#
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
#
-A INPUT -p tcp -j block-invalid-tcp
-A INPUT -p udp -m udp --dport 5080:5081 -j sip-gateways
-A INPUT -p tcp -m tcp --dport 5080:5081 -j sip-gateways
#
-A INPUT -p udp -m udp --dport 5060:5061 -j sip-services
-A INPUT -p tcp -m tcp --dport 5060:5061 -j sip-services
#
-A INPUT -p tcp -j services
-A INPUT -p udp -j services
#
# Accept ICMP packets
-A INPUT -p icmp -j ACCEPT
#
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
#
COMMIT
# Completed on Sat Aug  14 20:23:50 2021
# Generated by xtables-save v1.8.2 on Thu Jan  9 20:09:40 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5080:5081 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5080:5081 -j DSCP --set-dscp 0x1a
-A OUTPUT -p udp -m udp --sport 5060:5061 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5060:5061 -j DSCP --set-dscp 0x1a
COMMIT
# Completed on Sat Aug  14 20:23:50 2021



In /etc/fail2ban/jail.local set [freeswitch-ip] and [auth-challenge-ip] to true and edit ports to match sip profile(s).

In /etc/fail2ban/jail.local change the action to iptables-sip-services[... for the following:
[freeswitch]
[freeswitch-ip]
[auth-challenge-ip]
[sip-auth-challenge]
[sip-auth-failure]
[fusionpbx-404]


In /etc/fail2ban/action.d create iptables-sip-services.conf ...

Code:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
#             made active on all ports from original iptables.conf
#
#

[INCLUDES]

before = iptables-common.conf


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I sip-services -p <protocol> -j f2b-<name>

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D sip-services -p <protocol> -j f2b-<name>
             <actionflush>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L sip-services | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

In /etc/fail2ban/action.d/iptables-common.conf comment out chain = INPUT and add chain = services

Code:
[Init]

# Option:  chain
# Notes    specifies the iptables chain to which the Fail2Ban rules should be
#          added
# Values:  STRING  Default: INPUT
#chain = INPUT
chain = services

Once you have made changes to the files:

Code:
service fail2ban stop
service netfilter-persistent reload (or restart)
service fail2ban start

I do quite a lot more with my rules.v4 and rules.v6 files, but this should be enough to get you thinking of different ways that your security could be configured.

I hope you find this interesting.
Adrian.
 
Last edited:
Status
Not open for further replies.