Integration of csf firewall for white listing add on

Discussions about new features or changes in existing features

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Integration of csf firewall for white listing add on

Postby martin.kudlek » Thu Dec 14, 2017 11:57 am

We have made a very good experience with this perl based csf firewall with asterisk and voip servers in our datacenterfor several years:

https://configserver.com/cp/csf.html

It is a perl script, producing a very powerful IPTABLES firewall. Setup is very easy and well documented. Big community with great forum support : https://forum.configserver.com/

We use the csf firewall with whitelisting, so we only allow a few ip addresses and domain names to communicate with the internet.

DynDns Domain names are checked every 300 seconds.

So it is very easy to set up a secure white listing firewall with csf in the datacenter and dynamic Ip addresses for the agents, e.g. home offices in combination with DynDns.
Each home office / agent has a dynamic IP with a DynDns Account or a static IP.

The configuration of the csf firewall is text based, all configuration files are in /etc/csf

To allow a static ip we make an entry in /etc/csf/csf.allow

Code: Select all
###############################################################################
# Copyright 2006-2014, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be allowed through iptables.
# One IP address per line.
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24).
# Only list IP addresses, not domain names (they will be ignored)
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
# See readme.txt for more information

192.168.1.10

tcp|in/out|d=22|s=46.252.132.XX2/29
tcp|in/out|d=80|s=46.252.132.XX2/29
tcp|in/out|d=443|s=46.252.132.XX2/29
tcp|in/out|d=9001|s=46.252.132.XX2/29
udp|in/out|d=5060:5080|s=46.252.132.XX/29
udp|in/out|d=10000:60000|s=46.252.132.XX2/29



csf -r converts into iptables rules

we find the DynDns Domain names configuration in /etc/csf/csf.dyndns

Code: Select all
# Homeoffice banana001x
tcp|in/out|d=22|s=banana001x.dyndns.org
tcp|in/out|d=443|s=banana001x.dyndns.org
udp|in/out|d=5060:5065|banana001x.dyndns.org
udp|in/out|d=10000:65534|s=banana001x.dyndns.org




csf -r converts the domain name banana001x.dyndns.org into iptables rules, and updates are made periodically
Now my idea is to setup a white listing firewall with web maintenance from Vicidial.


We need two additional fields for phones and agents :

Firewall Domain Name will be written from phone/agents table into /etc/csf/csf.dyndns , one text entry for every agent / phone
Firewall Ip Address will be written from phone/agents table into /etc/csf/csf.allow , one text entry for every agent / phone


After every entry update of these files a csf -r is making an iptables Firewall update to make the new entries active

It would be a great deal to manage the Ip adresses for the csf firewall in this way

This would be a nice addon for a secure white listing firewall managed by vicidial.

Any ideas ? Any script warriors out there for this project ?

Martin
https://vicidial-hosting-europe.de +4921313864230
martin.kudlek
 
Posts: 10
Joined: Mon Feb 25, 2008 2:16 pm

Re: Integration of csf firewall for white listing add on

Postby blackbird2306 » Thu Dec 14, 2017 12:32 pm

Thank you for sharing this. Did you try Dynamic Good Guys from Williamconley@Poundteam (http://viciwiki.com/index.php/DGG)? That's the best way I know for whitelisting.
Vicibox 6.0.2 from Vicibox_v.6.0.x86_64-6.0.2.iso | Vicidial 2.12-560a build: 160617-1427 | Asterisk 1.8.32.3
blackbird2306
 
Posts: 222
Joined: Mon Jun 23, 2014 5:31 pm

Re: Integration of csf firewall for white listing add on

Postby martin.kudlek » Thu Dec 14, 2017 1:39 pm

csf firewall is not only good for whitelisting. In addition there are many other features like

Block traffic on a variety of Block Lists including DShield Block List and Spamhaus DROP List
Country Code blocking - Allows you to deny or allow access by ISO Country Code
lfd Clustering - allows IP address blocks to be automatically propagated around a group of servers running lfd. It allows allows cluster-wide allows, removals and configuration changes

you may also add your own ip rule sets in addition to his firewall in


csfpre.sh – To run external commands before csf configures iptables
csfpost.sh – To run external commands after csf configures iptables

It is one (not specialized) firewall with many features and works on every linux distro
https://vicidial-hosting-europe.de +4921313864230
martin.kudlek
 
Posts: 10
Joined: Mon Feb 25, 2008 2:16 pm

Re: Integration of csf firewall for white listing add on

Postby martin.kudlek » Thu Dec 14, 2017 2:05 pm

In addition this firewall has a nice blocking feature similar to fail2ban, searching for not allowed login attempts in the log files
https://vicidial-hosting-europe.de +4921313864230
martin.kudlek
 
Posts: 10
Joined: Mon Feb 25, 2008 2:16 pm

Re: Integration of csf firewall for white listing add on

Postby martin.kudlek » Wed Dec 20, 2017 1:21 pm

The csf firewall provides a dedicated configuration web page with access restrictions for IP and port

Please check first if install IO::Socket::SSL is installed.

The configuration of the web user interface is fixed at the section SECTION:Integrated User Interface
in /etc/csf/csf.conf

Example configuration :

Code: Select all
###############################################################################
# SECTION:Integrated User Interface
###############################################################################
# Integrated User Interface. This feature provides a HTML UI to csf and lfd,
# without requiring a control panel or web server. The UI runs as a sub process
# to the lfd daemon
#
# As it runs under the root account and successful login provides root access
# to the server, great care should be taken when configuring and using this
# feature. There are additional restrictions to enhance secure access to the UI
#
# See readme.txt for more information about using this feature BEFORE enabling
# it for security and access reasons
#
# 1 to enable, 0 to disable
UI = "1"

# Set this to the port that want to bind this service to. You should configure
# this port to be >1023 and different from any other port already being used
#
# Do NOT enable access to this port in TCP_IN, instead only allow trusted IP's
# to the port using Advanced Allow Filters (see readme.txt)
UI_PORT = "6963"

# Optionally set the IP address to bind to. Normally this should be left blank
# to bind to all IP addresses on the server.
#
# If the server is configured for IPv6 but the IP to bind to is IPv4, then the
# IP address MUST use the IPv6 representation. For example 1.2.3.4 must use
# ::ffff:1.2.3.4
#
# Leave blank to bind to all IP addresses on the server
UI_IP = ""

# This should be a secure, hard to guess username
#
# This must be changed from the default
UI_USER = "TmSOKeRv2sI7_r"

# This should be a secure, hard to guess password. That is, at least 8
# characters long with a mixture of upper and lowercase characters plus
# numbers and non-alphanumeric characters
#
# This must be changed from the default
UI_PASS = "HsWHE7BOt8pH_Tv"

# This is the login session timeout. If there is no activity for a logged in
# session within this number of seconds, the session will timeout and a new
# login will be required
#
# For security reasons, you should always keep this option low (i.e 60-300)
UI_TIMEOUT = "60"

# This is the maximum concurrent connections allowed to the server. The default
# value should be sufficient
UI_CHILDREN = "2"

# The number of login retries allowed within a 24 hour period. A successful
# login from the IP address will clear the failures
#
# For security reasons, you should always keep this option low (i.e 0-10)
UI_RETRY = "5"

# If enabled, this option will add the connecting IP address to the file
# /etc/csf/ui/ui.ban after UI_RETRY login failures. The IP address will not be
# able to login to the UI while it is listed in this file. The UI_BAN setting
# does not refer to any of the csf/lfd allow or ignore files, e.g. csf.allow,
# csf.ignore, etc.
#
# For security reasons, you should always enable this option
UI_BAN = "1"

# For security reasons, you should always enable this option and use ui.allow
UI_ALLOW = "1"

# If enabled, this option will trigger an iptables block through csf after
# UI_RETRY login failures
#
# 0 = no block;1 = perm block;nn=temp block for nn secs
UI_BLOCK = "1"

# This controls what email alerts are sent with regards to logins to the UI. It
# uses the uialert.txt template
#
# 4 = login success + login failure/ban/block + login attempts
# 3 = login success + login failure/ban/block
# 2 = login failure/ban/block
# 1 = login ban/block
# 0 = disabled
UI_ALERT = "4"

# This is the SSL cipher list that the Integrated UI will negotiate from
UI_CIPHER = "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH"

# This is the SSL protocol version used. See IO::Socket::SSL if you wish to
# change this and to understand the implications of changing it
UI_SSL_VERSION = "SSLv23:!SSLv3:!SSLv2"

# If cxs is installed then enabling this option will provide a dropdown box to
# switch between applications
UI_CXS = "0"

# There is a modified installation of ConfigServer Explorer (cse) provided with
# the csf distribution. If this option is enabled it will provide a dropdown
# box to switch between applications
UI_CSE = "0"



Then put your permitted IPs into /etc/csf/ui/ui.allow,
only the IPs in this file are allowed to use the configuration web page

Then restart csf and lfd and you cann access the web configuration web page via https://ipaddress:6963

If you need a differnt port, just change UI_PORT = "6963" to your port

Here are some screenshots from the configuration web page


Image


Image


Image



All IPs for whitelisting go into /etc/csf/csf.allow, or via web interface look at Firewall Allow IPs (Static IPs) or domainnames in lfd Dynamic DNS (DynDns)

I would be great to manage the allowed ips and domainnames from the agent / phone interface from vicidial.

Any other ideas ?

Martin
https://vicidial-hosting-europe.de +4921313864230
martin.kudlek
 
Posts: 10
Joined: Mon Feb 25, 2008 2:16 pm


Return to Features

Who is online

Users browsing this forum: No registered users and 4 guests