vicidial.org

[ruben23]

Version: 2.14b0.5
SVN Version: 3067
DB Schema Version: 1564
DB Schema Update Date: 2019-03-01 18:32:30
Password Encryption:DISABLED - S1 - C1
Auto User-add Value: 101
Recording Prompt Count: 0
Install Date: 2019-03-01
ASterisk 1.8
Scratch install Ubuntu Server

Hi guys anyone have chance implemented DGG on UBUNTU SERVER.? can you share procedure, Thanks a lot

[williamconley]

DGG itself is *really* just two web pages that can update a /proc/ file specific to the "recent" module of iptables. There are tiny technical differences between the recent module implementation in CentOS, Debian/Ubuntu, and OpenSuSE. But I have no doubt that you could walk through the installation process and find/resolve the differences if you tried.

The KEY is that the 90-ipt_recent.conf file (so named in OpenSuSE, of course) needs to have the "options ipt_recent ip_list_perms=0777" entry so the "/proc/net/xt_recent/GOOD" (so named in OpenSuSE also) can be modified by apache. Then the IPtables entry refers to this device during any packet receipt and allows anyone with an entry to access the system and blocks those who do not.

The two files are:
* Special port (such as 81) Self-Login DGG page: this page should be the ONLY page available on a special port and have a UUID based filename in a "non-indexable" folder so it can't be found by accident. Thus getting to that page is impossible without 200 years or some luck OR a link. That page has a user/pass simple login that will add the user to the aforementioned GOOD device file, and then bounce the user to the "Re-login" page with credentials provided by the user entry in question.
* Standard port, but with a UUID based simple access method: This is a simple database table modifier that will dump/reload the GOOD file whenever a DB entry is modified or added/deleted.

So it's really just two web pages with permission to modify the GOOD device and a special apache configuration for one of them. And ONE more thing: The initial "whitelist lockdown" itself:

Code: Select all

# Generated by iptables-save v1.4.8 on Tue Apr 30 20:41:02 2019
*raw
:PREROUTING ACCEPT [13540172:10962897694]
:OUTPUT ACCEPT [7810190:14903965912]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Tue Apr 30 20:41:02 2019
# Generated by iptables-save v1.4.8 on Tue Apr 30 20:41:02 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xx.xx.xx.xx/32 -j ACCEPT
-A INPUT -s yy.xx.zz.aa/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
options
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 81 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 81 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Apr 30 20:41:02 2019


Notes: The xx.xx and yy.xx IPs should be real and of course yours. The "eth0" should be replaced with the network device ID for your internal network. eth1 then is external. Port 81 in the example is for the special apache website for the DGG self-sign-in link. And it's likely your Ubuntu syntax will be different for some of this, especially the "-m recent" line.

Remember that permissions for the GOOD device file must be set to something the apache server can modify, the syntax for that is likely different for Ubuntu as well.

On a lighter note: We have functional Ubuntu 18.04.2 LTS installs that we'll be publishing shortly that will likely include an updated DGG specific to that distro.

[ruben23]

@William,

Can i ask for a complete Guide for Ubuntu Server 12.04.5, even i pay if its ok, still have no success on the install process

[williamconley]

We don't have an "install document" for Ubuntu. We just do the installation manually. Since each client's server is different (no Vicibox for Ubuntu any more), we never know what we're going to encounter but we do know how to install DGG and turn on / modify iptables.

You could use the bash instructions that auto-download during the DGG install for Vicibox and just modify them for Ubuntu one line at a time, adjusting for your environment (essentially, that's what we do). The only major difference is that the "clear" and "add" commands change based on the iptables recent module's implementation. CentOS, Gentoo, Debian/Ubuntu, OpenSuSE each have their own idiosyncrasies, and each person installs their own complications and firewall that get in the way and need to be shut off.

We charge the same to do the install regardless of distro if you want us to do it as we are used to wading in and making it work.