QUESTION What to monitor for security?

visionlogic

Guru? Nope
Joined
Oct 11, 2009
Messages
117
Reaction score
33
I've made a test install of Incredible PBX 11 / PIAF on a fully exposed DigitalOcean server. Travelin' Man 2 and 3, and fail2ban are operational. But after reading various posts and articles I find myself still unsure of exactly what logs or command outputs I should be monitoring for security purposes. Perhaps I just missed a listing somewhere. Any tips would be much appreciated! Thanks!
 

Hyksos

Guru
Joined
May 28, 2011
Messages
474
Reaction score
70
Possibly none.. Hard to tell. When a machine is fully firewalled fail2ban is useless... and monitoring it is useless. When fully firewalled the only thing you want to monitor... is iptables and the in memory ruleset...

Why not start by posting your entire iptables file after you sanitize it to replace all public IPs with some other public IPs unrelated to you.
Also, why dual Travelin Man? Because V2 works by exposing stuff to the whole Public Internet... Better not to do that when possible.
 

visionlogic

Guru? Nope
Joined
Oct 11, 2009
Messages
117
Reaction score
33
Possibly none.. Hard to tell. When a machine is fully firewalled fail2ban is useless... and monitoring it is useless. When fully firewalled the only thing you want to monitor... is iptables and the in memory ruleset...

Why not start by posting your entire iptables file after you sanitize it to replace all public IPs with some other public IPs unrelated to you.
Also, why dual Travelin Man? Because V2 works by exposing stuff to the whole Public Internet... Better not to do that when possible.

Why dual Travel Man? Only because I followed the install outlined in the tutorial, including the installation of TM3.

Here is my sanitized copy of /etc/sysconfig/iptables -
Code:
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*nat
:PREROUTING ACCEPT [7:608]
:POSTROUTING ACCEPT [36:2319]
:OUTPUT ACCEPT [36:2319]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*mangle
:PREROUTING ACCEPT [1103:1400664]
:INPUT ACCEPT [1102:1400632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [656:59330]
:POSTROUTING ACCEPT [656:59330]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-APACHE - [0:0]
:fail2ban-ASTERISK - [0:0]
:fail2ban-BadBots - [0:0]
:fail2ban-SSH - [0:0]
:fail2ban-VSFTPD - [0:0]
-A INPUT -p tcp -m tcp --dport 21 -j fail2ban-VSFTPD
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-BadBots
-A INPUT -p tcp -j fail2ban-APACHE
-A INPUT -j fail2ban-ASTERISK
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 9001 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp -s firstaddress.no-ip.biz --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp -s firstaddress.no-ip.biz --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 4445 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 5038 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
# NeoRouter Server requires TCP 44444 port opening
-A INPUT -p tcp -m tcp --dport 44444 -j ACCEPT
# NeoRouter Client uses 10.x private network
-A INPUT -s 10.0.0.0/8 -j ACCEPT
# Travelin Man 2 Web Interface Requires TCP Port 83 open
-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
# End of Travelin Man 2 addition
# Google Voice requires the next two port openings
-A INPUT -p udp -m udp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
# Other Trusted Providers
-A INPUT -p udp -m multiport -s outbound1.vitelity.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s inbound1.vitelity.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s atlanta.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s chicago.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s dallas.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s houston.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s losangeles.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s newyork.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s seattle.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s tampa.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s montreal.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s montreal2.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s toronto.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s toronto2.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s london.voip.ms --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
# DIDforsale only has an IP address and no FQDN = 209.216.2.211
-A INPUT -p udp -m multiport -s 209.216.2.211 --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s callcentric.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
#-A INPUT -p udp -m multiport -s sipgate.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s chi-out.voipstreet.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s chi-in.voipstreet.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s did.voip.les.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s magnum.axvoice.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s proxy.sipthor.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -p udp -m multiport -s sip.voipwelcome.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -p udp -m multiport -s incoming.future-nine.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s outgoing.future-nine.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s gw1.sip.us --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s gw2.sip.us --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s DEN.teliax.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s LAX.teliax.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s NYC.teliax.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s ATL.teliax.net --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s sms.intelafone.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s gvgw1.simonics.com --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
# IPkall uses two IP addresses: 66.54.140.46 and 66.54.140.47
-A INPUT -p udp -m multiport -s 66.54.140.46 --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -p udp -m multiport -s 66.54.140.47 --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
# End of Trusted Provider Section
# // New entry for cloud.iptables
-A INPUT -s 111.222.333.444 -j ACCEPT
# // End entry for cloud.iptables
# // New entry for MyNOIPthird.iptables
-A INPUT -p udp -m udp -s secondaddress.no-ip.biz --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s secondaddress.no-ip.biz --dport 4569 -j ACCEPT
-A INPUT -p tcp -m multiport -s secondaddress.no-ip.biz --dports 80,9080 -j ACCEPT
# // End entry for MyNOIPthird.iptables
# // New entry for MyNOIPfirst.iptables
-A INPUT -s thirdaddress.no-ip.biz -j ACCEPT
# // End entry for MyNOIPfirst.iptables
# // New entry for MyNOIPsecond.iptables
-A INPUT -s firstaddress.no-ip.biz -j ACCEPT
# // End entry for MyNOIPsecond.iptables
-A INPUT -p udp -m udp -s firstaddress.no-ip.biz --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp -s firstaddress.no-ip.biz --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp -s firstaddress.no-ip.biz --dport 5353 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A fail2ban-APACHE -j RETURN
-A fail2ban-ASTERISK -j RETURN
-A fail2ban-BadBots -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-VSFTPD -j RETURN
COMMIT
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
 

visionlogic

Guru? Nope
Joined
Oct 11, 2009
Messages
117
Reaction score
33
If anyone has any comment or feedback I would much appreciate it. I'm just trying to find out what anyone's suggested best practice would be insofar as what logs, etc. to monitor for hack attempts. I've been checking the "full" log and CDR records within PIAF and have not seen anything unusual. But I'm unsure as to what else might warrant viewing.

Also, regarding TM2 - I read Ward's post HERE which stated in part "To disable Travelin' Man 2, comment out all the lines in /etc/asterisk/sip_custom_post.conf and change the Permit entries for each extension to 0.0.0.0/0.0.0.0 using FreePBX. Then restart Asterisk." I checked /etc/asterisk/sip_custom_post.conf and all extensions were already commented out. [I thought all extensions were commented out with #, but then realized that I needed to begin each line with ; to comment out. I made the changes and restarted.] I then made sure the Permit entries were 0.0.0.0/0.0.0.0 for each extension, and left the Deny box empty.

Again, thank you for any info or thoughts you have.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top