FYI Can PIAF IPTables Security become an optional install?

hillclimber

New Member
Joined
Nov 17, 2008
Messages
19
Reaction score
4
Having now had time to study and test the latest most-delightful Ubuntu server/installer with an eye towards adding the VOIP stuff on to this professional web server known as BOA, I can offer these comments and suggestions.

The opportunity for open-source developers to build Twilio/OpenPBX-like stuff using PIAF and Drupal on Ubuntu/Debian, to me, seems fantastic. As do accompanying client-facing customer interfaces, like A2Billing, which conceivably lower the barrier of entry for anyone to really start their own VOIP services company, using PIAF. Or, simply customize PIAF plus a Drupal/CRM web interface to spec. for a client project.

The only incompatibility of using PIAF with this professional web server known as BOA to overcome so far as I can see, has to do with the security model of PIAF, which uses IPTables. Also, PIAF isn't really 100% open-sourced code ala GIT on Github like this professional web server, which uses CSF firewall (here's a 2nd citation for CSF firewall[EDIT: that page says CSF Firewall actually requires IPtables, and double-checks to see if it is installed first]), so GIT code merging isn't really an option it seems. I think, but am uncertain, and surely welcome comments.

So, would it at least be possible perhaps, for the IPtables security stuff to become an optional step of the PIAF installer, which can simply be bypassed? Then, perhaps PIAF Ubuntu VOIP stuff could be installed without conflict on this professional web server known as BOA. For one thing, I think it is fair to say the firewall security model of this professional web server is well-tested and mature, so I'd prefer to use it, especially for anything actually client-facing over the internet. (and I just got really good with free Class 1 NGINX SSL certificates, which can be documented for others soon, to accompany such an Ubuntu web front-end installation recipe).

There is some conflict between the PIAF and BOA server installers. PIAF uses Apache and BOA uses NGINX, but I don't think this is anything like a show-stopper, and they don't necessarily conflict. Only redundant resources are wasted. This aspect doesn't seem too discouraging. Also, PIAF uses MySQL and BOA ditched that long ago, using MariaDB instead; and I never noticed the difference personally as a developer.

Of course I had to dig into Port Knocking which was kind of on My To-do List for a long time already, and tried to install Ward's program which lead to the error message, "IPTables is not installed", on this professional web server known as BOA, which was interesting, and then I studied up some more on CSF firewall. Turns out Port Knocking on CSF firewall can be turned on with a simple config setting, so now I'm much more secure than before this study! I learned something today about tools I've been using for years already. Thanks for the push!

One last note for others is I previously thought it best to use a non-standard SSH port, and not use Port 22. An obscurity thing, of course. No, turns out that can be risky, so port knocking is really important to setup.

EDIT: Time has passed since this was written, and it seems only fair to add more notes on using the CSF Server Webmin GUI, in case anyone tries to test-drive the Drupal BOA server linked to several times above. When/if you install BOA, to access the CSF Firewall GUI, you must first upload its webmin module at /etc/csf/csfwebmin.tgz (or /usr/local/csf/csfwebmin.tgz; I see now actually it is a symlink in /etc/csf). HOWEVER, before you can do that, you must first install webmin.

It is best to use the easier to write/read/understand instructions: The first time you install BOA using the script on Github, a new install preferences file will be created at /root/.barracuda.cnf. You must edit this file and then perform a standard Barracuda update, which must be performed from time to time, and is good to learn how to do.

Here's mostly copy/pasted text that came from here:, and also here:
Add any package like Collectd, chive at a later moment

$ vim .barracuda.cnf
PDS --- fast DNS cache server (pdnsd) (default)
BND --- Bind9 DNS Server
SLR --- MultiCore Apache Solr Tomcat (Not interesting any-more, now that I have discovered the ELK Stack! Here's a guide to install the log-centralizing/indexing server, best in its own Ubuntu virtual machine IMHO)
CHV --- Chive DB Manager (default, much more secure than using PHPmyAdmin)
BDD --- SQL Buddy DB Manager
CGP --- Collectd Graph Panel
WMN --- Webmin Control Panel
CSF --- csf/lfd Firewall (default)
CSS --- Compass Tools (available on Squeeze, Wheezy, Precise and Trusty)
FTP --- Pure-FTPd server with forced FTPS
FMG --- FFmpeg support
GIT --- Latest Git from sources

add the shortcodes from above to like this _XTRAS_LIST='CSF CGP'
Run update:
barracuda up-stable
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
Not sure where this is headed?? Are you pushing a new product? If so, what are the benefits and what does it do that anyone here would need?

Let's also be sure we're talking about the same things. PBX in a Flash is one product. Incredible PBX is another. In some iterations, Incredible PBX will run on top of existing PIAF servers. In others, it's a standalone install from a base operating system, e.g. Ubuntu, CentOS 7, and Raspbian.

As delivered, PBX in a Flash includes IPtables, but there are no rules that lock down access in any way. The same holds for some of the original releases of Incredible PBX. In most cases, sites were locked down using Travelin' Man 3 which is an add-on module that locks down and then manages IPtables. Port knocker is an additional add-on used in conjunction with Travelin' Man 3 to assist in managing IPtables from remote sites.

With the Ubuntu flavor of Incredible PBX and the just released Incredible PBX for CentOS 7, PBX in a Flash isn't installed at all. IPtables is completely locked down as part of the Incredible PBX install. Stated another way, the functionality of Travelin' Man 3 has been incorporated into the initial build. On any of these systems, you can always disable IPtables (AT YOUR OWN RISK!) by issuing the commands: service iptables stop && service ip6tables stop.
 

hillclimber

New Member
Joined
Nov 17, 2008
Messages
19
Reaction score
4
Would it be possible to exclude some server things not having to do with VOIP, (having to do with firewalls), from being installed along with the terrific NerdVittles VOIP stuff at the time of installation? This is due to technical conflicts with other, proven, client-facing *web* server installs, having tested as much as I possibly can in combination and given the subject thought.

In doing so, developers have another Really Good VOIP services business option, than using OpenPBX/Twilio stuff; which isn't really Asterisk/FreePBX stuff at all, but PLEASE do not quote me on that as I am only trying to reply, given my available time for such a reply.

Actually, since I started to write my forum post, I have studied and have since provided secondary citations within my original post, that CSF Firewall in-fact uses IPTables, so there actually is no conflict technically. Only, it would be wonderful if there were no technical conflicts of installing one thing over the other, for reasons I have already tried to state. Why doesn't NerdVittles consider using CSF Firewall then, for example, as I've tried to make my case? Otherwise, I hope not to argue, as I'm in admiration for all the VOIP stuff from The Team I use daily. Only from a technical perspective, in a perfect world, if all open-source code was in-fact published using GIT for example, forking and merging (or whatever, as my skills within GIT must improve) becomes nonchalant. Essentially this is what I'm talking about, as a developer trying to take what is available, and to build useful stuff; which might also be useful to others, and possibly lead the way. Or to at least be entrepreneurial.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
Incredible PBX is open source GPL2 code. Within the terms of the GPL2 license, you can modify it to suit your needs in any way you like. That's what open source is all about.

As for our moving to git, it's probably not going to happen for a whole host of reasons. Doesn't mean you can't push up a copy of our code or your modified code if you desire.
 

hillclimber

New Member
Joined
Nov 17, 2008
Messages
19
Reaction score
4
As a developer on a hot Summer Sunday, reading your reply knowing you are a lawyer well-versed in such contracts, this is good to know.
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,448
Messages
138,014
Members
14,613
Latest member
roshan2019