anomaly0617
Member
- Joined
- Feb 9, 2012
- Messages
- 50
- Reaction score
- 11
--- BEGIN DISCLAIMER ---
Let's get this out of the way:
If you have any question about my overall position or my loyalty to the product or anything else, please see the above and repeat until it's clear to you where I stand overall on the whole thing. Got it? Good.
Ward, et. al.: I'm getting really hacked off at the firewall settings and the fail2ban settings in PIAF.
I've been a network admin for a long friggin time. So long in fact that someone in Marketing decided I was no longer an admin and now I was an "Engineer" about 8 years ago. Then 3 years ago they prepended it with "Senior" to the front, as if I needed some help knowing that I was old.
PIAF installs with the firewall and fail2ban enabled by default. I have no problem with this. This is smart on the part of Ward and the dev team at PIAF. Because, well, not everyone has been a network administrator for 20 years. Many of the folks installing PIAF are hobbyists with little real networking experience. Many have never been hacked, never been DDoS'ed, never cleaned up ransomware because some MF'er in sales just HAD to open that email from someone he didn't know in case it was a hot lead and it infected not just his machine that he had no backup of, but also all the network drives he was mapped to, forcing us to roll back to last night's backup and losing everyone's work for the day.
So, with all that said, if you're reading along and you have PIAF installed somewhere with a direct external IP address to the internet, you need to rethink your plan. Install a decent (and separate) firewall. Not the one that came with PIAF. Not the one that you buy at Best Buy or Wal-Mart for $40-$100, because those things are a PoS. Get a spare PC, throw another network card in it, install pfSense, make the external network card your WAN interface (trust me, you'll thank me later after lightning takes it out and somehow miraculously leaves the motherboard alone), make the integrated motherboard network card your internal interface, and set as few NAT forwards as possible... and for (insert diety)'s sake, don't forward 5060 or any other SIP port to your PBX. You don't need it. Your PBX should initiate an outbound connection to your SIP provider for your trunk. Your phones should be internal to your network, or you should be using a strong VPN technology like IPSec with AES-256 SHA1 or greater for remote locations. That's my rant on firewalling.
With the above rant in mind and to repeat the overall point, I'm getting really hacked off at the firewall settings and the fail2ban settings in PIAF. As an experienced administrator I should be allowed to turn them off, but somehow they turn themselves back on. Sometimes after a reboot, sometimes not. To be honest I haven't noticed which it is. Either way, I do this so much I have a great little script for it, a la:
fwstop.sh
Does great, until these services decide to re-enable themselves again.
Suddenly when a phone can't register for one reason or another (this could be any number of things from a bad password to whatever), fail2ban decides to block it and I'm trying to figure out why the damned thing won't work despite changing the password 6 times and copy and pasting it into the phone config and the PBX config.
Again, let's get this out of the way: Here's my pertinent line from my fail2ban jail.conf file, with anything in []'s being edited out for security reasons:
ignoreip = 127.0.0.1 [Location1]/24 [Location2]/24 [Location3]/24
Point is, I should have told fail2ban where to go with the lines above, and yet somehow, users can't get to UCP after they fail their passwords X number of times. Phones don't register after X number of failures. And inevitably, I log in to the PBX and I run my fwstop command and *magically* these things work.
Again, I get it.
I know why we need firewalls in general.
I know why we need fail2ban and I love what it does for me on publicly facing servers like our web servers.
But, Ward, et. al: I'm a big boy. I've been pulling on my proverbial network "underroo's" for a long time. Other distributions that do other things allow me to disable the firewall and fail2ban at my discretion and they *stay off*. How about giving us the ability to do the same with PIAF? Could I dig deep into it all and find where you've done it and disable and hack away? Sure I could, and I would likely find it and kill it, but the next time I upgrade, poof, there it is again. The next time I change out the PBX for a newer one, there it is again... How about we just disclaimer it to death but give those of us with some network experience the ability to do so?
Please?
I'll get off my soapbox now, but also follow it with this disclaimer...
--- BEGIN DISCLAIMER ---
Thanks (and with lots of respect and admiration for the product as a whole),
-Me.
- I love PBX in a Flash. It's been an awesome distro for a number of years.
- Ward is a bada** who knows more than pretty much all of us combined about Asterisk and phone systems in general.
- Anything said below is said out of frustration and not out of disrespect for Ward, PBX In a Flash, or the development team. It's constructive criticism at worst and helpful suggestions at best.
Let's get this out of the way:
- PIAF 2.0.6.5 (Green, I believe, but could be Purple)
- FreePBX 12.0.65.1
- Asterisk 11.10.0
If you have any question about my overall position or my loyalty to the product or anything else, please see the above and repeat until it's clear to you where I stand overall on the whole thing. Got it? Good.
Ward, et. al.: I'm getting really hacked off at the firewall settings and the fail2ban settings in PIAF.
I've been a network admin for a long friggin time. So long in fact that someone in Marketing decided I was no longer an admin and now I was an "Engineer" about 8 years ago. Then 3 years ago they prepended it with "Senior" to the front, as if I needed some help knowing that I was old.
PIAF installs with the firewall and fail2ban enabled by default. I have no problem with this. This is smart on the part of Ward and the dev team at PIAF. Because, well, not everyone has been a network administrator for 20 years. Many of the folks installing PIAF are hobbyists with little real networking experience. Many have never been hacked, never been DDoS'ed, never cleaned up ransomware because some MF'er in sales just HAD to open that email from someone he didn't know in case it was a hot lead and it infected not just his machine that he had no backup of, but also all the network drives he was mapped to, forcing us to roll back to last night's backup and losing everyone's work for the day.
So, with all that said, if you're reading along and you have PIAF installed somewhere with a direct external IP address to the internet, you need to rethink your plan. Install a decent (and separate) firewall. Not the one that came with PIAF. Not the one that you buy at Best Buy or Wal-Mart for $40-$100, because those things are a PoS. Get a spare PC, throw another network card in it, install pfSense, make the external network card your WAN interface (trust me, you'll thank me later after lightning takes it out and somehow miraculously leaves the motherboard alone), make the integrated motherboard network card your internal interface, and set as few NAT forwards as possible... and for (insert diety)'s sake, don't forward 5060 or any other SIP port to your PBX. You don't need it. Your PBX should initiate an outbound connection to your SIP provider for your trunk. Your phones should be internal to your network, or you should be using a strong VPN technology like IPSec with AES-256 SHA1 or greater for remote locations. That's my rant on firewalling.
With the above rant in mind and to repeat the overall point, I'm getting really hacked off at the firewall settings and the fail2ban settings in PIAF. As an experienced administrator I should be allowed to turn them off, but somehow they turn themselves back on. Sometimes after a reboot, sometimes not. To be honest I haven't noticed which it is. Either way, I do this so much I have a great little script for it, a la:
fwstop.sh
Code:
#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
/etc/init.d/iptables stop
/etc/init.d/ip6tables stop
/etc/init.d/fail2ban stop
chkconfig --levels 2345 iptables off
chkconfig --levels 2345 ip6tables off
chkconfig --levels 2345 fail2ban offDoes great, until these services decide to re-enable themselves again.
Suddenly when a phone can't register for one reason or another (this could be any number of things from a bad password to whatever), fail2ban decides to block it and I'm trying to figure out why the damned thing won't work despite changing the password 6 times and copy and pasting it into the phone config and the PBX config.
Again, let's get this out of the way: Here's my pertinent line from my fail2ban jail.conf file, with anything in []'s being edited out for security reasons:
ignoreip = 127.0.0.1 [Location1]/24 [Location2]/24 [Location3]/24
Point is, I should have told fail2ban where to go with the lines above, and yet somehow, users can't get to UCP after they fail their passwords X number of times. Phones don't register after X number of failures. And inevitably, I log in to the PBX and I run my fwstop command and *magically* these things work.
Again, I get it.
I know why we need firewalls in general.
I know why we need fail2ban and I love what it does for me on publicly facing servers like our web servers.
But, Ward, et. al: I'm a big boy. I've been pulling on my proverbial network "underroo's" for a long time. Other distributions that do other things allow me to disable the firewall and fail2ban at my discretion and they *stay off*. How about giving us the ability to do the same with PIAF? Could I dig deep into it all and find where you've done it and disable and hack away? Sure I could, and I would likely find it and kill it, but the next time I upgrade, poof, there it is again. The next time I change out the PBX for a newer one, there it is again... How about we just disclaimer it to death but give those of us with some network experience the ability to do so?
Please?
I'll get off my soapbox now, but also follow it with this disclaimer...
--- BEGIN DISCLAIMER ---
- I love PBX in a Flash. It's been an awesome distro for a number of years.
- Ward is a bada** who knows more than pretty much all of us combined about Asterisk and phone systems in general.
- Anything said below is said out of frustration and not out of disrespect for Ward, PBX In a Flash, or the development team. It's constructive criticism at worst and helpful suggestions at best.
Thanks (and with lots of respect and admiration for the product as a whole),
-Me.
Phone System 