Installing PortKnocker for VitalPBX
We will gradually be building the pieces to support a firewalld whitelist in lieu of wide open IPtables rules. We've decided to keep most of the VitalPBX firewalld setup because it is so slick.
As a first step, we have finished the PortKnocker build for firewalld which provides a backdoor for you to enable access from a remote IP address if you ever get locked out of your server. Test it to be sure it works before that fateful day.
At the moment, the WhiteList functionality is superfluous since the existing VitalPBX ruleset provides world access to SIP, PJSIP, IAX2, SSH, HTTP, and HTTPS. At the moment, the only thing standing between your phone bill and the Bad Guys is Fail2Ban unless you install VitalPBX behind a hardware-based firewall.
Step #2 is to get all of the TM3 whitelist scripts reworked to emulate add-ip, add-fqdn, and del-acct using firewalld.
Step #3 will be to remove those wide open firewall rules from
Admin:Security:Firewall:RULES. But don't do it yet.
You still can install PortKnocker and experiment now.
iptables -nL and
/var/log/knockd.log both should show your whitelisted IP address from a successful PortKnock. Your PortKnocker credentials can be found in
/root/knock.FAQ after the install finishes.
To install PortKnocker, issue the following commands after logging into your VitalPBX server as root:
Code:
cd /root
wget http://incrediblepbx.com/knock-vitalpbx.sh
chmod +x knock-vitalpbx.sh
./knock-vitalpbx.sh
As with other Incredible PBX TM3 implementations, IP addresses whitelisted using PortKnocker only last until the next reboot, or until you issue the command
firewall-cmd --reload, or until you execute a firewall update from within the VitalPBX GUI.