FOOD FOR THOUGHT iPBX or not to iPBX

[troycarpenter]

I am about to rebuild my pbx system from scratch, and was going to use PIAF 1.7 and the Incredible PBX (iPBX) scripts to "automagically" set up most of the extra tools and fun stuff. However, in a recent post, it was stated that iPBX doesn't upgrade, and that instead a full re-install is necessary when upgrading.

Could anyone please clarify what is meant by that statement? Apart form the security adds, what are the pros & cons to going with iPBX instead of rolling my own extras into PIAF? The allure of pre-installed extras (Cepstral, scripts & dialplans, etc) is pulling on me greatly.

Thanks

 

[jroper]

Hi

The incredible PBX is sort of an overlay to PIAF, providing training wheels for those that need them.

This means that the elements of PBX in a Flash (Asterisk, FreePBX, CentOS) can be upgraded in the same way as any other PiaF installation.

However, whatever Ward includes in the current version is what you get, and if he later releases another version with another element in it, there is no process to get the latest element automatically, so you will need add it manually.

Go for the Incredible PBX if you feel you would benefit. My view would be install only what you need, the less you have, the less there is to go wrong, and during the install process, you get to learn how it goes together.

Joe

 

[wardmundy]

Think of the Incredible PBX as giving you a 5-year head start on Asterisk based upon our experience. It doesn't keep you from doing anything else you'd like to do. Did we mention it also happens to be rock-solid secure.

 

[troycarpenter]

Ok, I see. So in some ways it's a shortcut to where my system is today, where with my current system I had to add and update everything manually over time to get here. And, as in the case of some items like Fax support, I would get some things I have been too lazy to figure out how to add it to my current system.

Beyond that, it's the same as I have now in that whenever something new comes along, I have to add it and maintain it manually (if the module doesn't include some type of self-maintenance). Oh, plus all the extra security

 

[wardmundy]

Correct.

In addition, FreePBX is automatically updated and then preconfigured for Skype, faxing, conference bridges, SIP URIs, extensions, inbound and outbound routes, CallerID Superfecta, randomized passwords, IVRs, DISA, parking lots, ring groups, and free Google Voice calling in the U.S. and Canada. Try finding documentation that covers just the FreePBX stuff in Incredible PBX without countless hours of searching and reading. And that's before considering the dozens of voice-enabled apps that are all preconfigured and ready to use.

Just because the Incredible PBX is simple to install doesn't mean that what's under the hood is simple if you know what I mean.

Not sure I'd liken the Incredible PBX to training wheels. That implies some sort of diminished functionality in exchange for simplicity and ease of use. Functionally, Incredible PBX is quite the opposite. It's really a steroid-enhanced, turnkey version of PBX in a Flash meaning it's ready to use out of the box. Some might say it's nothing you couldn't do yourself... over the next several years. But why reinvent the wheel?

When new stuff comes out, just run the new app's install script. No need to start over EVER!

 

[jroper]

Hi

Oh, plus all the extra security

Correct me if I'm wrong, but I'm not sure that there is any extra security over and above a standard up to date PiaF install.

I think it just comes with some advice to put it behind a hardware firewall without ports open, and the extensions and DISA have been configured with sensible random passwords.

Joe

 

[wardmundy]

Nothing you couldn't do with your decades of telephony experience, Joe.

 

[troycarpenter]

So to install, follow http://nerdvittles.com/?p=677 as much as applies (I do have GV and sipgate accounts, so I may set that up, too).

Then follow any fixes that may be listed in http://nerd.bz/b5KKCo thread.

Correct?

Thanks for all your help and advice. I may be spotty in my visits here, but that is really a testament to how well this stuff works without having to come here all the time.

 

[jroper]

We have been pushing security on these forums for a long time, as you said in a recent speech, in the early days we used to throw these boxes out on the internet with extension numbers and secrets the same, and not think anything more about it. We don't any more.

I hope that anyone reading your guides to install, will as a matter of course:-

1. Put the system behind a hardware firewall unless there is a good reason not to.

2. Configure secure secrets for the extensions.

3. use DISA and callback very carefully with good secure pins.

Certainly if 2 and 3 are not followed, then you could be paying some expensive school fees to learn these lessons.

I would definitely not want the impression to be given that you need years of experience to do this stuff properly and securely.

Especially in the light of the efforts we have all made, you in particular, to make this accessible (and secure) to anyone and everyone who cares to give it a go.

But, when dealing with PBX systems, and for that matter, the Internet in general, some common sense has to be applied.

To apply common sense (i.e. Read the manual), I would contend, does not need years of experience.

Joe

 

[wardmundy]

Common sense tells me...

Most folks don't read the manual. :eekb:


My best advice is to follow this tutorial, http://nerdvittles.com/?p=677, line by line. Everything you need to know and do is all there in one place. There are no bug fixes that haven't been incorporated into the current build (as of today). And when you're finished...

It Just Works!

 

[jroper]

In the case where people do not read the manual concerning the use of a hardware firewall, given that you have the ports closed on the external firewall, you may as well close them on the PBX as well.

See IPTables script below:

This must be run as a script - not copied and pasted line by line into the console, or you will lock yourself out, right after iptables -F

#!/bin/sh
#
#   IPTABLES settings for PBX in a Flash systems, to only allow connections from the internal network.
#
#    Copyright (C) <2010>  <Jonathan Roper Star2billing S.L.>  
#
#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU Affero General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.

#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU Affero General Public License for more details.

#    You should have received a copy of the GNU Affero General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#     [email protected]
#

#Variables
LANA="10.0.0.0/8"
LANB="172.16.0.0/12"
LANC="192.168.0.0/16"
TCPPORTS="22,80,4445,443,10000,9022,9080,9001"
UPDPORTS="69,123,69,53,4520,4569,5060,10000:20000"


#IPTABLES
iptables -F
iptables -Z
iptables -X


iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT  
iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANA -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANB -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports $TCPPORTS -s $LANC -j ACCEPT
iptables -A INPUT  -p udp -m multiport --dports $UPDPORTS -s $LANA -j ACCEPT
iptables -A INPUT  -p udp -m multiport --dports $UPDPORTS -s $LANB -j ACCEPT
iptables -A INPUT  -p udp -m multiport --dports $UPDPORTS -s $LANC -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 2 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

service iptables save

This script prevents access from all external public IP addresses, (except for SSH access) and only allows access from internal ranges which are defined as:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

If you have chosen an IP address range other than the standard non-routable ones above, then you would have to make some changes to the script.

This allows trunks to register, as the connection is being initiated from inside the PBX, but will not allow any connections from the outside world of any type (other than pings and SSH)

This section is interesting:

iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 3 -j DROP

This allows you to remote manage the PBX externally via SSH. But it only allows you two connections in 600 seconds, so brute force attacks will be stopped by this rule. So even without Fail2Ban running in the background, under standard SSH configuration, it allows 6 goes at getting the password correct in 10 minutes. e.g. first attempt, SSH allows you 3 goes to put in the password, then drops the connection, then allows you another three goes when you reconnect, and then drops the connection, IPTables will not let you reconnect for a further 10 minutes.

I suspect that a rule similar to this on port 5060 could be used to prevent brute force attacks on SIP, but we would have to get the timing correct.

If someone would like to test, as second pair of eyes is always a good thing.


Comments always welcome, and if this were added to the Incredible PBX, it would be fair to say that there is extra security!

Joe

 

[Bitnetix]

I'm a fan of UDP 5060:5080 for SIP, since end points may use alternate ports to get around NAT issues. Not required for those that aren't reading manuals, though. I also like using fail2ban to monitor logs and use the banning this way, rather than rate limiting in iptables. I'm getting forgetful in my old age, and I forget to look at rate limits to figure out problems. Emails sent by fail2ban remind me why something got blocked.

Other than that (and the fact that I haven't actually run this) it looks good to my naked eye.

 

[jroper]

Hi

I can see that point of view. The SSH section with the rate limits was more of a mental exercise than anything else, as it intrigued me how this may be used to drop brute force attacks against SIP clients, and a small demonstration of what can be done with IPTables.

I'm also still keen on combining iptables and geo-ip blocking.

Joe

 

[Baylink]

The rate limiting hack is neat, Joe

but I do see one possible problem with it: it doesn't distinguish, does it, between successful logins and failures?

Some people prefer to use multiple copies or, say, Putty to using screen to manage multiple logins, and they'll also only be able to get 2 logins.

I generally use Samhain's hosts.allow brute-force protector script; that's proven really useful for me, except for one case where an end user put a stupid password on a dictionary named account...

which wouldn't be the case in a PIAF situation.

 

[jroper]

Hi

You could still maintain quite a lot of protection, just by changing the 2 to a higher number, and the 600 to a lower number.

Joe

 

[Baylink]

Oh, sure. Just saying.

 

[Bitnetix]

I live in screen. I have screens within screens. Best tool invented since the CRT for Unix. That and ssh port forwarding.

 

[vanDivX]

"192.168.0.0/16"

I don't quite understand networking this deep, would my LAN 192.168.1.x/255.255.255.0 fall under the above specification?

Also instead of running script (which I am not clear on how that is done - I suppose you need to place file with this content into root directory and then refer to it from console with some run command...) how about editing the iptables file directly and putting in the appropriate lines.
I suppose since the above is a script not all the lines would go into iptable config file.