Dynamic Good Guys Firewall for Stock Vicibox Servers

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Wed Feb 03, 2016 5:43 pm

When you "Access" it does not "put" anything. But when you Add an IP (which you entered manually) in the Add An IP interface, then an IP is added. Also, when you access the Dynamic Link (the one with :81 in it), it still will not add an IP until you successfully enter a user and password.

At that point, the system is designed to add the IP from which the Web Browser accessed the site. This should always be a public IP, because that is the purpose of the page: To allow external access to someone who has proper credentials. Without involving a technician or administrator at the facility every time someone accesses from an external site. This is impossible without the special link, so it's still secure (the link is not something you can "guess", it's too complex).

The public IP of the person accessing the system is then added to the good list. Then that person can access the entire Vicidial system just as if you had entered their Public IP manually using the administrative link. This IP will be forgotten at reboot (ie: temporary add for remote users whose IPs may change daily).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby fibres » Thu Feb 04, 2016 2:19 pm

Hi Guys

Does this work on GoAutoDial?

Regards
Vicibox 4.0.3 ISO install.
VERSION: 2.6-393a
BUILD: 130124-1721
Astersik 1.4.44-vici
No Hardware
No other software installed
fibres
 
Posts: 313
Joined: Sun May 20, 2007 3:12 pm
Location: UK

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Thu Feb 04, 2016 4:03 pm

Nope. We have to make serious adjustments to use this technique on goautodial. if you install it in Vicibox and see how it works, you can then install it in goautodial after taking into account that the "recent" module in iptables is implemented differently in CentOS. Of course, the file locations are also different. After making adjustments, of course, it works exactly the same. No one has ever paid us to build an install kit for goautodial, though. Wouldn't be hard, just production. I keep expecting Gardo to put it in goautodial, but for some reason that has not happened. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby covarrubiasgg » Thu Feb 11, 2016 4:03 pm

williamconley wrote:Step By Step!

http://www.viciwiki.com/index.php/DGG

If your name is "Kumba" or "The Vicidial Group" you are free to copy and incorporate this without any residuals or "mention" of PoundTeam. Anyone else: Attribution-ShareAlike 3.0 Unported License: http://creativecommons.org/licenses/by-sa/3.0/us/


Does anyone have already try it with Vicibox 7 (OpenSuse Leap )


EDIT:


Answering my own question. Those instructions doesn't completely work with Vicibox 7, but pretty much you can google the errors and work it around. Main issue i have encounter right now is the different configuration between apache 2.2 and apache 2.4

I will let you know if i get it running with vicibox 7
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Thu Feb 11, 2016 4:58 pm

covarrubiasgg wrote:Answering my own question. Those instructions doesn't completely work with Vicibox 7, but pretty much you can google the errors and work it around. Main issue i have encounter right now is the different configuration between apache 2.2 and apache 2.4

I will let you know if i get it running with vicibox 7

We haven't had time to test it yet. If you get it running and provide us with a DIFF or list of changes, we can update the package.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby covarrubiasgg » Fri Feb 12, 2016 12:52 am

I got it working, basically a bunch of settings from your guide are no longer required because they are default in Vicibox 7

Example... no more Custom Ports are defined by default, FW custom rules are enabled by default, port 113 is no longer blocked by default and a lot of things are no longer required. The only main issue is the new syntaxis in apache and that the init script no longer exist.

To be honest, i made all the changes after running the installation script, but i made patch for the installer after i watched your post.

I DID NOT TEST IT YET ! I simply replicate the same changes i made to the generated files, i can test it during weekend. Also i have used service apache2 reload instead of restart to prevent downtime, even though you should not do this on production i was forced to do it.

This is the patch file
http://pastebin.com/5sDjyuUA

BTW, i used the DomeDan approach with curl to a multiple server setup, is there a better solution for this?
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Mon Feb 15, 2016 10:21 pm

covarrubiasgg wrote:port 113 is no longer blocked by default

...

This is the patch file
http://pastebin.com/5sDjyuUA

...

BTW, i used the DomeDan approach with curl to a multiple server setup, is there a better solution for this?

port 113 should remain closed.

Thanks for the patch, we'll put it in our todo list and add an "If Vicibox 7" to switch to the new code.

I have no idea what domedan's approach is. Sorry, I don't get the reference 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby covarrubiasgg » Tue Feb 16, 2016 5:22 pm

This is what i was talking about (just to keep the reference for my question)

DomeDan wrote:Was helping ruben23 out with how to use DGG in a multiserver setup where you need to access several external ip-addresses and came up with a solution I would like to share.

With this change you need to login once on one server only

You will need to install DGG on the other servers the master server will access phpmysqlezedit/goodguys.php page on the other servers

on the "master"-server you add a few lines to the secret file on port 81
just above the line "header("Location: http://$locationbase/agc/vicidial.php?r ... phone_pass");"
Code: Select all
        $url = 'http://NEXT_SERVER_IN_CLUSTER.LOCAL/phpmysqlezedit/goodguys.php?access=SECRET-STRING-TO-ACCESS-DGG-ADMIN&action=savenew';
        $ch = curl_init($url);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, "name=$VD_login&ip=$add&temporary=Y");
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($ch);
        curl_close($ch);


Change
NEXT_SERVER_IN_CLUSTER.LOCAL
to the IP or domain-name to the next server in the cluster,
if you got more servers just add all the rows a second time with the other server IP or domain-name
and change
SECRET-STRING-TO-ACCESS-DGG-ADMIN
to the secret access string to DGG admin you get when you install DGG
covarrubiasgg
 
Posts: 420
Joined: Thu Jun 10, 2010 10:20 am
Location: Tijuana, Mexico

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Tue Feb 16, 2016 5:30 pm

Ah! I think that slipped my mind. LOL Thanks for reminding me. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby ichigo » Mon May 30, 2016 3:55 am

Good day everyone..

I followed all the steps in DGG, when am here in this part

ls /proc/net/xt_recent/GOOD -l

i've got this error

ls: cannot access /proc/net/xt_recent/GOOD: No such file or directory

did i miss something.
ViciBox v.7.0.3-160505 | VERSION : 2.12-565a BUILD : 160827-0917 | Asterisk 11.22.0

ViciBox v.8.1.1 180928 | VERSION: 2.14-692a | BUILD: 180927-0018 | Asterisk 13.21.1
ichigo
 
Posts: 36
Joined: Wed Dec 09, 2015 3:13 am

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby dspaan » Mon May 30, 2016 6:51 am

I never use that part of the guide and it still works, you only need that for if you want to add custom ranges:

Custom Rules (Back in yast firewall)
For adding CLIENT IP addresses and ranges ONLY those you intend to modify with ssh in the future. Leave this blank if you want to modify all allowed IPs via Dynamic Good Guys.
Dynamic Good Guys is ONLY for single IP addresses. This custom rules method can add IP ranges with appropriate subnet mask notation (such as "182.55.12.0/24")


You can also nano or download this file to see if the IP's were added: /etc/sysconfig/SuSEfirewall2

I've also downloaded, edited and uploaded this file in the past and it worked too.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Fri Jun 24, 2016 12:36 am

DGG updated for Vicibox 7.0.

Just tested it on 7.0.3.

ls: cannot access /proc/net/xt_recent/GOOD: No such file or directory

You may not have started your firewall. Without IPTables, this file won't be created. Also, this file won't be created if your module hasn't loaded.

Try this:
Code: Select all
iptables-save | grep GOOD

You should get:
Code: Select all
-A input_ext -m recent --rcheck --name GOOD --mask 255.255.255.255 --rsource -j ACCEPT
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby dspaan » Fri Jun 24, 2016 2:26 am

Thanks for updating!
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Sun Jul 03, 2016 4:14 pm

Updated for Encrypted Passwords and now bounces admins to the welcome screen instead of the agent login screen.

Upgrade method (untested):

Code: Select all
cd /usr/src/poundteam/dgg
svn up
ln -s /srv/www/htdocs/agc/bp.pl /srv/www/lockdown/bp.pl
ll /srv/www/lockdown/*.php

now copy the new version of this file over the previous DGG file OR make it a whole new file to keep the original for "insurance":
Code: Select all
cp /usr/src/poundteam/dgg/lockdown.php /srv/www/lockdown/XXXXXXXXXXXXXXXXXXXXXXXXXXXX.php


If the User's "phone login" value is blank, the user will be bounced to the Welcome page and can log in as either an admin OR an agent. If the User's "phone login" is populated, the user will be bounced to the agent login page with user/pass/phone login/phone pass prepopulated from the values in the User's record.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Sun Sep 11, 2016 3:05 pm

ichigo wrote:Good day everyone..

I followed all the steps in DGG, when am here in this part

ls /proc/net/xt_recent/GOOD -l

i've got this error

ls: cannot access /proc/net/xt_recent/GOOD: No such file or directory

did i miss something.

Two possibilities:
* You did not restart your firewall to activate the new settings (the firewall itself creates this file, which is really a "device" maintained by the firewall)
* The GOOD line was never added to the firewall (in which case the "recent" module never creates the GOOD device/file).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby natewerks » Wed Jul 19, 2017 8:17 pm

Hi all. Did this question about "Will adding an IP also open up port 4569 for IAX2?" get answered? If not how do we ensure each agents ip and IAX2 port can be added with DGG?

dspaan wrote:Thanks found it and got it working :-)

So if i want do this on a cluster i'll have to buy the pound team addon?

Will adding an IP also open up port 4569 for IAX2?
natewerks
 
Posts: 6
Joined: Mon Jan 25, 2016 4:54 pm

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Wed Jul 19, 2017 8:31 pm

natewerks wrote:Hi all. Did this question about "Will adding an IP also open up port 4569 for IAX2?" get answered? If not how do we ensure each agents ip and IAX2 port can be added with DGG?

dspaan wrote:Thanks found it and got it working :-)

So if i want do this on a cluster i'll have to buy the pound team addon?

Will adding an IP also open up port 4569 for IAX2?

Adding an IP opens all ports to that IP. It's not a "port by port" protocol opener, it's a firewall tool opening an entire IP at a time.

IE: Yes. It will open port 4569 *and* all the other ports as well, which covers proxy service, ntp, ftp, http, and any other tps you can come up with.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby Keyfin » Tue Jul 25, 2017 10:08 pm

you'll open port 81, but that will redirect to the dynamic good guys website if you do not have a correct login and password for your vicidial system. someone trying to login would also need the exact name of the php file for the login portal, i.e. http://YOURIPDOMAIN:81/thisismylogin.php or whatever you rename the file to... instructions are at the end of the dgg installation. it's a simple rename of the hexadecimal php DGG creates during install. following the instructions will tell you to whitelist your firewall, then open port 81.
ViciBox: 7.0.3 | VERSION: 2.14-585a BUILD: 170114-1356 | SVN Version: 2661 |Single Server | DGG installed
Keyfin
 
Posts: 60
Joined: Tue Feb 23, 2016 8:27 pm

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby alo » Fri Oct 20, 2017 10:42 pm

Thanks for making this available for everyone with great documentation!

I was wondering about the following:

Turn off Ping
Close port 113
Turn Off ICMP sourcequench

My assumption is we are turning off ping in case meanies are out pinging to find active responding servers. my only concern is sometimes we ping the server from out of the office to see if we are having internet issues. is it crucial to turn off ping?

Not sure what the other two are port 113 and ICMP sourcequench, but are they safe to turn off without losing any features like voicemail emailing and etc?

And lastly, we often are instructed to keep ports 10000-20000 UDP open for our Carriers media since some carriers just handle the sip signaling and the media could be coming from anywhere! could we use a rule like ESTABLISHED to allow this traffic instead of keeping the ports open or does that already happen by itself and we can close them too and just open port 81 tcp?

Thanks again for your hard work on this feature!
alo
 
Posts: 187
Joined: Wed Jun 20, 2012 10:21 am

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Sat Oct 21, 2017 12:02 pm

alo wrote:my only concern is sometimes we ping the server from out of the office to see if we are having internet issues. is it crucial to turn off ping?

if you add your office IP to the good guys list (authorized IPs) you can still ping. yes it's crucial to turn off ping to avoid being attacked. some get away with leaving it open ... for a while. no guarantees on how long before you're attacked, though, and for some reason those who attack like to do so at an inopportune moment. apparently they don't allow scheduling an appointment during off-hours.
alo wrote:Not sure what the other two are port 113 and ICMP sourcequench, but are they safe to turn off without losing any features like voicemail emailing and etc?

both are technical ports that are necessary for backbone routers. your vicidial server is NOT a backbone router and as such need not have it open for those it is not presently communicating with. once again: those ports will be open for those in the "good/authorized ips" list, so everything will work fine. but only with those you actually want to talk to.
alo wrote:And lastly, we often are instructed to keep ports 10000-20000 UDP open for our Carriers media since some carriers just handle the sip signaling and the media could be coming from anywhere! could we use a rule like ESTABLISHED to allow this traffic instead of keeping the ports open or does that already happen by itself and we can close them too and just open port 81 tcp?

1) established: already happens by itself but does not manage 3rd party audio streams

2) any carrier that can not give you a comprehensive list of IPs that will be transmitting audio is part of the problem. requiring that you open any ports to the world means you have to let down your shield to attack. change carriers (let them know that if they can not give you a list, you will need to take your business elsewhere).

leaving ports open is an open invitation to attack. we have clients who occasionally do business with this sort of carrier. when they do, they often "get away with it" for several months before the attack. they are then down for a couple days while they switch carriers and wait for the scripts to stop attacking them. since they are automated, the scripts neither notice nor care once you shut the ports. sometimes you have to change IP address to sidestep the attack.

so entirely up to you: You may get away with it for quite some time before an attack. or only a couple days. if your savings to use that carrier is compelling, go for it. but be prepared to close the ports or change the IP or both. have that plan ready to implement.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby dspaan » Sun Apr 01, 2018 8:41 am

I think i accidentally installed Good Guys on a server that already it and now i get this error when i add an IP via the admin interface:

Clearing prior Good Guy List
Clear Result: 1 /usr/share/poundteam/goodguysactivate.php33 Clear Failed. Please notify administrator

How do i fix this and what is the consequence?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Sun Apr 01, 2018 3:45 pm

Look that phrase up in the code. all it means is that when dumping and reloading the GOOD list, it did not succeed. If you "cat" the GOOD file you can verify activity (or lack thereof) during whatever you're doing.

It's possible that a double entry now exists for one of the routines which may block the routine ... but I haven' heard of that happening before (just a guess).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby dspaan » Thu May 10, 2018 9:06 am

Hey Bill,

I'm not getting that error anymore but i'm afraid it's worse now. The manual says:

Allow Apache to add "Good Guys"
echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root


But under /proc/net i do not have a xt_recent directory. How to fix this?

edit:

I added the line options ipt_recent ip_list_perms=0777 to the file /etc/modprobe.d/90-ipt_recent.conf manually because it was empty.

And after making some changes in yast firewall and then doing

iptables-save


I could see the file in the proc/xt_recent directory with

ls /proc/net/xt_recent/GOOD -l


After that i had problems with Apache not starting anymore but that was fixed thanks to this tip in the guide:

If apache does not restart, check here for two or more entries at the bottom. (There should only be one instance of each entry, no dupes!)
nano /etc/apache2/listen.conf
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby williamconley » Thu May 10, 2018 12:50 pm

Looks like you ran the commands twice (first time failed perhaps?) happens a lot. Free software. We update it every few years ...
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby dspaan » Thu May 10, 2018 1:12 pm

Yes i ran it three times :P

It's still working great. Best alternative to using a VPN.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: Dynamic Good Guys Firewall for Stock Vicibox Servers

Postby jheengoo » Thu Nov 05, 2020 10:20 am

Does this work for ipv6?
jheengoo
 
Posts: 12
Joined: Mon Jun 04, 2018 6:46 am

Previous

Return to Support

Who is online

Users browsing this forum: Bing [Bot], Majestic-12 [Bot] and 80 guests