Enhance Your PBX's Security With This

Status
Not open for further replies.

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
This is no replacement for upgrading to the latest FusionPBX but I'm going to try and get this working on all my servers.

I'm just sharing a script I have been playing with that I believe is a great security enhancement.

Currently, only use this on a test box or if you are confident with FusionPBX.

Make sure you have account details for an extension if it is a new install BEFORE you run the script as it will lock you out of the GUI.

Also, grab the credentials of an existing extension if its not a new install.

If you run the script on an existing install, do a crontab -l first and make note of your cron entries if you have any as it will wipe them.

I'll fix this very soon.

So what does it do and what's it for?

What this does is block access to both the web interface and the normal sip ports 5060-5079 by default. This means your phones will fail to register. This also means Mr Hacker can not exploit any weaknesses.

What you need to do, using a spare line on your phone is to register the phone to port 8650 on the spare line, just use the same credentials as your regular extension.

Whats happening in the background is a Kamailio instance listens on this port and once you have authenticated to it, it whitelists your IP and allows access to the otherwise closed ports and the GUI.

A cron script will run at 3am that removes the whitelist and restores the default rules. This shouldn't block any existing connection as we have a RELATED/ESTABLISHED rule in iptables already. Your spare line registering to port 8650 will readd your IP to the whitelist. For testing you can leave the timer nice and low at 120 but there is no reason why this shouldn't work with 3600 or much more.

Going forward like Freeswitch's NLDB (No Device Left Behind), I would like to create a NSLB (No Subnet Left Behind) and try adding various other methods to open the ports. For example a web URL with an auth key or yealinks can call a URL when registration fails, we could use that too.

You should be using the latest IP tables rules that Fusionpbx currently installs.

Anyway, have a play and let me know what you think:
Code:
wget -O - https://gist.githubusercontent.com/DigiDaz/2c325684498075d486e883c82f76a317/raw/e6b95077868cf98c5101d1f0962d0bf191b94c47/install-whitelisting.sh | sh;
 

JamesBorne

Active Member
Jan 24, 2019
294
56
28
Australia
This is a cool idea.

So if understand correctly, per phone (or one phone per public IP address) you need to have a second registration line on port 8650 to your FusionPBX box?

Bang for buck, blacklisting regions has been my best way of preventing SSH/SIP/HTTP attacks, but this layered on top would facilitate dynamic IP for those outside my region.

Thanks for sharing this!
 

bcmike

Active Member
Jun 7, 2018
326
54
28
53
Great idea! It's always better to ban all and have a white list.

I haven't run the script yet, but perhaps asking the user for a fail safe admin IP, that would be allowed no matter what would be a good idea to prevent lockouts.

Just my 2 pennys
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
Well, you will still have ssh access so you can go in and just mod the rules to suit anyway if you find yourself locked out.

A quick:
Code:
iptables -I INPUT -s <YOURPUBLICIP> -j ACCEPT

will add you a rule to get in for admin, anytime.
 
  • Like
Reactions: bcmike

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
So start a new thread. I specifically disabled the private messages so that EVERYONE can benefit from the material shared/discussed on the forums.
 
  • Like
Reactions: JamesBorne

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
One thing that came up that I had forgotten....

If you have any push servers for mobile devices in use you need to add them to the /etc/iptables/rules.v4

This is for the Zoiper ones, Bria will have similar:
Code:
:OUTPUT ACCEPT [57:8032]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 185.117.83.192/27 -j ACCEPT
 

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,038
556
113
Hi DigitalDaz,

Is this script still something you are working on? I was not able to download it from the link above.

Thanks
Change the username from DigiDaz to pbxforums. I changed my username on github recently.

I haven't really touched that one as I have predominantly Yealink users and so have moved to a whitelist/blacklist situation using Yealink action URIs. The yealink can call a URI when it fails to register and that's what I have been using to unlock the SIP ports for the IP address. I'll be making an app of this soon.

The above method could be used in conjunction with the new method to unlock other brands.

I've also made a GUI for the black/whitelist that allows you to add and remove entries.

I'm also looking for cheap arm devices that could be used like on premise 'keys' that can call the same action URL as the Yealinks to open the door too. We could also in theory just send a link in a browser or even use a successful FusionPBX GUI login as a key to opening the SIP ports for that IP address. Currently, I whitelist them for about a week and each night parse all the registrations and further whitelist any already registered for a further 7 days.
 

Henry Jones

New Member
Apr 4, 2017
16
2
3
51
Georgia, USA
Change the username from DigiDaz to pbxforums. I changed my username on github recently.

I haven't really touched that one as I have predominantly Yealink users and so have moved to a whitelist/blacklist situation using Yealink action URIs. The yealink can call a URI when it fails to register and that's what I have been using to unlock the SIP ports for the IP address. I'll be making an app of this soon.

The above method could be used in conjunction with the new method to unlock other brands.

I've also made a GUI for the black/whitelist that allows you to add and remove entries.

I'm also looking for cheap arm devices that could be used like on premise 'keys' that can call the same action URL as the Yealinks to open the door too. We could also in theory just send a link in a browser or even use a successful FusionPBX GUI login as a key to opening the SIP ports for that IP address. Currently, I whitelist them for about a week and each night parse all the registrations and further whitelist any already registered for a further 7 days.

The majority of my installations are using Polycom devices. I have only two Yealink handset connected. I would be interested in your GUI tool to see if it will help lock down my servers. I have had a few "break-ins" in the past and am constantly looking for protection. I'm sure you are familiar with what the developers of PBX in a Flash came up with. They developed a "door knock" application that sounds similar to what you described your script will do.

Let me know if I can have a go at your GUI.

Thanks for your reply.
 
Status
Not open for further replies.