Securing FusionPBX

Status
Not open for further replies.
R

robert

Member
Mar 24, 2018
34
4
8
55
I have a question about securing my fusionpbx server.

When I first got my fusionpbx system up and running I was receiving A LOT of annoying/random/ghost calls. I was able to overcome this by putting up a firewall and only allowing IP address through that I wanted. This is working very well.

Now 2 years later I have almost 100 phones out to various companies I work with and feel I have proven the concept.

I would like to get more aggressive in my sales, but feel this firewall creates too many obstacles, including the requirement to have a fixed IP.

I am hoping to open up ONLY 5060 to the WORLD.

Do you have any wisdom about how I can prevent these calls and/or generally secure my system.

Also, I currently have 10 domains and about 100 phones, Are there any limits you know of, I have searched but not found.
 
A

ad5ou

Active Member
Jun 12, 2018
884
197
43
Start with routing everything to FQDN's only then edit /etc/fail2ban/jail.local to enable [freeswitch-ip] and probably the all of the others that may be disabled by default. Add your carriers to the fail2ban ignore list to avoid accidental bans.

Somewhat recent changes to the external sip profile should also help with ghost calls. The new default setting should require authentication on both profiles unless the carrier IP is in the domains ACL.

There is no hard limit to how many domains/extensions Fusionpbx or more specifically Freeswitch can handle. The actual usable limit is based on server hardware and/or bandwidth. The question comes up often and there is no easy way to say "X" setup can handle "Y" users. Calls per second, registration times, notify times, codec use, call recording, video calling, concurrent calls, etc all have an impact on how many extensions a single server can handle. 100 phones in a call center environment has a totally different load on the server than 100 phones scattered in typical small business offices.
 
timerider

timerider

Member
Mar 11, 2019
72
9
8
Northumberland UK
northumberland-it.com
Old thread I know. I've a Freeswitch install that has ran very well for a long time, blocking everything aside from whitelisted IP addresses.

Now having a closer look at fusionpbx and the default iptables setup is confusing me :/ (I don't usually use persistent). Usually I'd use ipset in combination with iptables and this would perhaps be the solution I'll work on.

Any tips on how you achieved only allowing whitelisted IPs before I break their default rules?
 
Adrian Fretwell

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,414
376
83
It is not complicated. The default rules (/etc/iptables/[rules.v4 rules.v6]) that the FusionPBX install provides are simply the output you would get from an iptables-save or, in most cases, the rules that were in place at the time when iptables-persistent was installed.

The default rules provided by FusionPBX give a good and relatively secure starting point and most people are happy with them. The default rules operate mostly on the INPUT chain. I tend to create additional chains for SIP and RTP services, it gives me more control and also means that RTP packets do not have to traverse all the jails that fail2ban creates. Using additional chains requires some changes in the fail2ban configuration so I'm not going to go into that now, maybe I will created a separate post about it.

In order to whitelist IPs and drop everything else, you could modify the existing INPUT section of rules.v4 to look something like this:

Code: 
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "system " --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "system " --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "exec." --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "exec." --algo bm --icase
-A INPUT -j DROP -p udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
-A INPUT -j DROP -p tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --icase
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 7443 -j ACCEPT
#
# Whitelist IPs to Freeswitch
-A INPUT -s 1.2.3.4/32 -p tcp --dport 5060:5091 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p udp --dport 5060:5091 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p udp --dport 16384:32768 -j ACCEPT
-A INPUT -s 5.6.7.8/32 -p tcp --dport 5060:5091 -j ACCEPT
-A INPUT -s 5.6.7.8/32 -p udp --dport 5060:5091 -j ACCEPT
-A INPUT -s 5.6.7.8/32 -p udp --dport 16384:32768 -j ACCEPT
#
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p udp --dport 1194 -j ACCEPT


There are of course better ways of organising the rules but this should give you an idea.

Once you have made changes to the rules file(s) call:
service fail2ban stop
service netfilter-persistent reload (or restart)
service fail2ban start
 
timerider

timerider

Member
Mar 11, 2019
72
9
8
Northumberland UK
northumberland-it.com
Adrian Fretwell said:
It is not complicated. The default rules (/etc/iptables/[rules.v4 rules.v6]) that the FusionPBX install provides are simply the output you would get from an iptables-save or, in most cases, the rules that were in place at the time when iptables-persistent was installed.
Click to expand...
Thanks, I'll give that a go today.
I've ran freeswitch for sons 7 years without anything touching it or even trying, it's simply not visible to anything not in the whitelist.
Some of the stuff in the default rules on fusion seemed a lot more modern so wasn't gonna take them out if I could keep them, your reply gives me enough (I think) to modify and add in my original rules.
And the reminder on how to restart persistent version invaluable.
Thanks
 
timerider

timerider

Member
Mar 11, 2019
72
9
8
Northumberland UK
northumberland-it.com
My updated firewall to whitelist IP addresses while blacklisting the rest! (I've used similar for a long time on freeswitch and freepbx).

Before adding the below into /etc/iptables/rules.v4 make sure you have ipset installed and a set named 'only' with the list of allowed addresses. 'man ipset' for details.

I hope this helps some of you:

-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "friendly-scanner" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "sipcli/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "VaxSIPUserAgent/" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "pplsip" --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "exec." --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "multipart/mixed;boundary" --algo bm --to 65535 --icase -j DROP
# Whitelist IPs from ipset rule 'only'
-A INPUT -p tcp -m set --match-set only src -m multiport --dports 22,1194 -j ACCEPT
-A INPUT -p tcp -m set --match-set only src -m multiport --dports 80,443 -j ACCEPT
-A INPUT -p tcp -m set --match-set only src -m multiport --dports 5060:5091 -j ACCEPT
-A INPUT -p udp -m set --match-set only src -m multiport --dports 5060:5091 -j ACCEPT
-A INPUT -p tcp -m set --match-set only src -m multiport --dports 16384:32768 -j ACCEPT
-A INPUT -p udp -m set --match-set only src -m multiport --dports 16384:32768 -j ACCEPT
-A INPUT -p icmp -m set --match-set only src -m icmp --icmp-type 8 -j ACCEPT
 
Status
Not open for further replies.
Top Bottom