FOOD FOR THOUGHT 2 questions out of curiosity

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
Several years ago I worked for a VoIP provider that provided hosted based PBX's. They used Asterisk and FreePBX but modified some of it to their liking. Well they had two particular procedures for doing things that made me recently wonder how they did it. I'd be curious if anyone on here knows.

1) Firewall - they had a way to whitelist IP's that successfully authenicated with their VoIP phone or Soft phone. No matter your location, as long as you registered your phone successfully, you could access the Web GUI, but until then you were blocked.

2) Phone Provisioning - normally you would configure the phone before hand in the PBX before putting it on the end users desk. They had it setup so you could pull a brand new phone from the box, specify the config server (ftp/t*f*t*p/http), reboot the phone, the phone would not only display "Enter an extension:" but would also announce it, you enter the extension you want the phone to be, hit # key, the phone would reboot, and come back up with the extension you put in. Of course the extension would have to be in the PBX beforehand.

I would definitely be interested if anyone has done this or knows where I could look or explain to me how they did. The phone provisioning I can kind understand how they did it, they some how scripted it to create a new .cfg file with the mac address of the phone but how. The firewall setup is interesting too and I'd like to hear it as well.
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
It looks like #1 would be accomplished as described by setting up some sort of hook or monitor that watches for phone registrations and then runs an iptables command to open HTTPS (or HTTP) upon seeing one. The same monitor could revoke the iptables rule when the phone unregisters, times out, or after a set period of time.

Sort of like an inverse fail2ban.
 

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
Thanks for the responses guys. It's just kinda fun to brainstorm about it.

Igaetz - yea I saw Travelin Man but it doesn't do it automatically. As for the EndPoint manager, you have to add the phone to the device list first, correct? With this company's setup, you can setup a phone without having to do that. It automatically creates the <MAC>.cfg file upon assigning it an extension.

billsimon - I agree. Something is monitoring it constantly. For premise based PBX customers (non-hosted), they had their Asterisk box "call home" to them to get around customer firewalls. So its like they setup a reverse SSH session so they could gain access to the PBX without the customer opening ports.
 

tm1000

Schmoozecom INC/FreePBX
Joined
Dec 1, 2009
Messages
1,360
Reaction score
78
Nothing exists like this for FreePBX that isn't proprietary. You'd have to code it yourself.

Igaetz - yea I saw Travelin Man but it doesn't do it automatically. As for the EndPoint manager, you have to add the phone to the device list first, correct? With this company's setup, you can setup a phone without having to do that. It automatically creates the <MAC>.cfg file upon assigning it an extension.
 

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
tm100 - that is correct. Why I was asking if someone has done this or there is code out there. :)
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The whole purpose of a WhiteList is to block devices that aren't on the list. So... I'm not sure how you would let a device authenticate and (only then) WhiteList the device. If it's blocked, how would it authenticate?? Travelin' Man 2 does this with a separate web interface, but it still requires the end-user to visit a special web link for a specific extension. In other words, you open a web port but not a SIP port until the device is authenticated.

I've actually been working on a new approach that would let you call a special number or perhaps send an email (both with a PIN), and then the firewall would be opened momentarily to let your new device register. But the patent has just been applied for so it's not soup yet. That's a patent joke.
 

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
LOL Got it. That seems like a great concept.

Well I'm assuming they left SIP 5060 open for authentication. I actually found one of the guys that use to work for this company and did some of the developing. Hopefully he gets back to me and I will share the info.
 

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
That sounds like a great theory so far. I will try to tinker with that this weekend if I can get some free time. Reverse Fail2Ban to be Success2Allow. lol Awesome.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
I'm not a big fan of Fail2Ban because it has been proven that it can't protect against Denial of Service attacks from very powerful servers, e.g. Amazon. These servers can bombard you with so many attempts that fail2ban never gets a time slice to check the logs.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Please take a look at the Travelin' Man 4 Wish List and add your suggestions. IPtables is rock-solid and hooks directly into the Linux kernel thereby avoiding the log scanning shortcomings of Fail2Ban.
 

gentoobob

New Member
Joined
May 12, 2014
Messages
13
Reaction score
2
lgaetz - Pretty cool man! I like the effort! Keep me posted, see what we can do.

Wardmundy - Awesome. I will definitely check out Travelin Man and will add that to the Wish List as well. I agree with Fail2ban as well but it is better than nothing.
 

KUMARULLAL

Guru
Joined
Feb 20, 2008
Messages
243
Reaction score
28
I'm not a big fan of Fail2Ban because it has been proven that it can't protect against Denial of Service attacks from very powerful servers, e.g. Amazon. These servers can bombard you with so many attempts that fail2ban never gets a time slice to check the logs.

Check this out
http://cipherdyne.org/psad/docs/
Psad is a wonderful tool that stops port scanning in its tracks. (So if you change you ssh http https etc ports) no one will be able to use nmap to scan for open ports. It also stop ddos attacks. It has many features.
IMPORTANT:
psad makes use of log messages that are generated by iptables/ip6tables as it logs (and drops) packets. Hence if your firewall is not configured to log packets, then psad will NOT detect port scans or anything else. Usually the best and most secure way to configure your firewall is to first put the minimal rules needed to allow only necessary traffic to and from your machine, and then have default drop-and-log rules toward the end of the firewall ruleset.

If you download psad as a tarball, just uncompress it and run the psad installation script install.pl from the psad sources directory:
# ./install.pl
You can install a new version of psad over an existing one; just run install.pl. The installation script will preserve any old configuration parameters when installing the new versions of psad, psadwatchd, and kmsgsd. If you don't need or want any old configurations to be preserved, just execute "./install.pl -n".
psad can be completely removed from the system by executing install.pl with the --uninstall option.

Here is a link of a good tutorial on installing and configuring psad on DigitalOcean ubuntu droplet.
You can use it for centos as well. Just follow the logic behind it.
https://www.digitalocean.com/commun...t-network-intrusion-attempts-on-an-ubuntu-vps
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

1) Firewall - they had a way to whitelist IP's that successfully authenicated with their VoIP phone or Soft phone. No matter your location, as long as you registered your phone successfully, you could access the Web GUI, but until then you were blocked.

Are we talking about port knocking, http://en.wikipedia.org/wiki/Port_knocking

Joe
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Funny you would mention port knocking, jroper. It's been on our radar for a good long time. And we've finally found an implementation that we think would be a great PIAF addition. Links to the tutorials and RPMs are now in the PIAF source repo under knock. A great article is also available here. The knock-server project is hosted here. Also available on GitHub. In addition to the server software for most platforms, clients are available for virtually any platform including iPhones (PortKnock is $0.99) and Android devices (PortKnocker is free). Would be a good fit with Grandstream's Android phones obviously. Tutorial for Debian/Ubuntu/RaspberryPi/BBB platform is available here.

After three successful knocks in sequence, the software opens whatever ports desired on the IP address of the knocker using IPtables. Very simple for an end-user to get connected, regardless of technical skill set.

The real beauty of this solution is the fact that the "knock ports" never have to be opened on your server's firewall for this software to work. In order for the knocks to find their way to your server, you would have to map the 3 "knock" ports over if using a hardware-based firewall in front of IPtables.

openssh-port-knocking-1.png
 
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top