QUESTION Securing Server and Removing knockd?

Discussion in 'Help' started by WinstonPoppycock, Sep 11, 2018.

  1. WinstonPoppycock

    WinstonPoppycock New Member

    Joined:
    Sep 11, 2018
    Messages:
    2
    Likes Received:
    0
    I consider myself somewhat technologically abled but working with Incredible PBX, VPSs, and networking definitely is getting my hands dirtier than I thought it would. I have several endpoints that have dynamic IPs and it's not really feasible to have them connect through a VPN.

    (1) I am considering disabling knockd, changing my SSH port, and using fail2ban as the only means of security (with the obviously super long and complex password). Is this a horrible idea?
    (2) Additionally, I've been having difficulty disabling or removing knockd. When I disable it as a service, upon restarting the VPS, it needs to be re-enabled again, before I'm able to connect to it.
    (3) Lastly, I've been trying to grasp the difference between a regular SIP provider and a SIP trunk provider. It seems as though they're the same thing, no?

    Any help or input on any of the above is certainly appreciated. Thanks.
     
  2. jerrm

    jerrm Guru

    Joined:
    Sep 23, 2015
    Messages:
    405
    Likes Received:
    153
    If you can't connect without knockd, it sounds like you do not have your ip address(es) whitelisted. Have you setup dynamic dns records for you and your endpoints and then whitelisted them with the add-fqdn script?

    If you don't want to use the whitelist approach, you will need to do a lot more than just disable knockd.
     
    WinstonPoppycock likes this.
  3. kyle95wm

    kyle95wm Phone Genius Owner

    Joined:
    Apr 16, 2016
    Messages:
    426
    Likes Received:
    81
    This is where my iptables rules comes in:

    Code:
    #!/bin/bash
    
    fqdn=""
    
    echo "Welcome to the Phone Genius firewall installer"
    read -p "The current server's FQDN is set to $(hostname -f). If you would like to use this name, press the ENTER key, or type in the FQDN you would like to use. This is the FQDN SIP endpoints will be allowed to register to " fqdn
    
    if [ -z "$fqdn" ] ; then
        fqdn=$(hostname -f)
    fi
    
    echo "We will use $fqdn for your firewall rules."
    read -p "Please press ENTER key to confirm, or ctrl+c to abort."
    
    echo "Backing up Incredible PBX firewall rules"
    mv "/etc/sysconfig/iptables" "/etc/sysconfig/iptables.incredible"
    
    echo "Now installing Phone Genius firewall rules...."
    touch /etc/sysconfig/iptables
    cat > /etc/sysconfig/iptables <<EOF
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    :ICMPALL - [0:0]
    :IPSPF - [0:0]
    :ASIP - [0:0]
    :DPTS - [0:0]
    :RLMSET - [0:0]
    -A INPUT -p tcp --dport 5060:5082 -m conntrack --ctstate RELATED,ESTABLISHED -m recent ! --rcheck --name MYSIP -j DROP
    -A INPUT -m conntrack --ctstate INVALID -j DROP
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m recent --update --name RLM --seconds 600 --hitcount 1 -j DROP
    -A INPUT -p icmp --icmp-type 255 -j ICMPALL
    # Allow DHCP traffic
    -A INPUT -p udp --sport 67:68 --dport 67:68 -j ACCEPT
    -A INPUT -i eth+ -j IPSPF
    # Replace YOUR_SSH_PORT with your server's SSH port!
    -A INPUT -p tcp --dport 22 -j ACCEPT
    -A INPUT -j ASIP
    -A INPUT -j DPTS
    -A INPUT -m limit --limit 10/min -j LOG
    -A INPUT -j DROP
    -A ICMPALL -p icmp --fragment -j DROP
    -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
    -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
    -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
    -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
    -A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
    -A ICMPALL -p icmp -j DROP
    # Drop packets FROM bogon IPv4 addresses
    # Delete the line below if your server uses this range:
    -A IPSPF -s 10.0.0.0/8 -j DROP
    # Same as above
    -A IPSPF -s 172.16.0.0/12 -j DROP
    # Save as above
    -A IPSPF -s 192.168.0.0/16 -j DROP
    -A IPSPF -s 0.0.0.0/8 -j DROP
    -A IPSPF -s 100.64.0.0/10 -j DROP
    -A IPSPF -s 127.0.0.0/8 -j DROP
    -A IPSPF -s 169.254.0.0/16 -j DROP
    -A IPSPF -s 192.0.0.0/24 -j DROP
    -A IPSPF -s 192.0.2.0/24 -j DROP
    -A IPSPF -s 198.18.0.0/15 -j DROP
    -A IPSPF -s 198.51.100.0/24 -j DROP
    -A IPSPF -s 203.0.113.0/24 -j DROP
    -A IPSPF -s 224.0.0.0/4 -j DROP
    -A IPSPF -s 240.0.0.0/4 -j DROP
    -A IPSPF -s 255.255.255.255 -j DROP
    # Drop packets TO broadcast/multicast/loopback IPs
    -A IPSPF -d 0.0.0.0/8 -j DROP
    -A IPSPF -d 127.0.0.0/8 -j DROP
    -A IPSPF -d 224.0.0.0/4 -j DROP
    -A IPSPF -d 255.255.255.255 -j DROP
    # These are some bad TCP flags used in attacks:
    -A IPSPF -p tcp --tcp-flags ALL NONE -j DROP
    -A IPSPF -p tcp --tcp-flags ALL ALL -j DROP
    -A IPSPF -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    -A IPSPF -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
    -A IPSPF -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A IPSPF -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
    -A IPSPF -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
    # Reject NEW TCP packets w/ ACK flag. Someone could be sending packets with your server's IP as his fake IP
    -A IPSPF -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
    # Drop NEW TCP packets w/o SYN flag
    -A IPSPF -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
    # Drop empty UDP packets (lengths 0 to 28)
    -A IPSPF -p udp -m length --length 0:28 -j DROP
    # Limit incoming NEW TCP connections to 10/sec for each IP (configurable)
    -A IPSPF -p tcp --syn -m recent --update --name INSYN --seconds 1 --hitcount 11 -j DROP
    -A IPSPF -p tcp --syn -m recent --set --name INSYN -j RETURN
    -A IPSPF -j RETURN
    # Change to ACCEPT if FTP server:
    -A DPTS -p tcp --dport 21 -j DROP
    # Remember to change your SSH port first!
    # If you use port 22, change this to ACCEPT!
    -A DPTS -p tcp --dport 22 -j ACCEPT
    -A DPTS -p tcp --dport 23 -j RLMSET
    # Change to ACCEPT if MAIL server:
    -A DPTS -p tcp --dport 25 -j RLMSET
    # Note: Port 80 and/or 443 are needed to access the FreePBX GUI.
    # For security, do NOT open them here. Use SSH port forwarding instead.
    -A DPTS -p tcp --dport 80 -j DROP
    -A DPTS -p tcp --dport 443 -j DROP
    -A DPTS -p tcp --dport 1433 -j RLMSET
    -A DPTS -p tcp --dport 3128 -j RLMSET
    # Change to ACCEPT if Internet-facing MySQL server:
    -A DPTS -p tcp --dport 3306 -j RLMSET
    -A DPTS -p tcp --dport 3389 -j RLMSET
    -A DPTS -p tcp --dport 4899 -j RLMSET
    -A DPTS -p tcp --dport 5900 -j RLMSET
    -A DPTS -j RETURN
    -A RLMSET -m recent --set --name RLM -j DROP
    -A ASIP -p tcp --dport 5060:5082 -j ACCEPT
    -A ASIP -p udp --dport 5060:5082 -m recent --update --name MYSIP -j ACCEPT
    -A ASIP -p udp --dport 5060:5082 -j DROP
    -A ASIP -p udp --dport 10000:20000 -j ACCEPT
    -A ASIP -j RETURN
    COMMIT
    *raw
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :BADSIP - [0:0]
    :TCPSIP - [0:0]
    :UDPSIP - [0:0]
    :NEWSIP - [0:0]
    # IMPORTANT: Replace "YOUR_HOSTNAME.no-ip.com" with the dynamic IP hostname you have set up!
    -A PREROUTING -i eth+ -m recent --update --name MYSIP -j ACCEPT
    -A PREROUTING -i eth+ -p tcp --dport 5060:5082 -m string --string "sip:$fqdn" --algo bm --icase -j NEWSIP
    -A PREROUTING -i eth+ -p udp --dport 5060:5082 -m string --string "sip:$fqdn" --algo bm --to 1500 --icase -j NEWSIP
    -A PREROUTING -i eth+ -m recent --update --name BADSIP -j DROP
    -A PREROUTING -i eth+ -p tcp --dport 5060:5082 -j TCPSIP
    -A PREROUTING -i eth+ -p udp --dport 5060:5082 -j UDPSIP
    -A TCPSIP -m string --string "sundayddr" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sipsak" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sipvicious" --algo bm --icase -j BADSIP
    -A TCPSIP -m string --string "friendly-scanner" --algo bm -j BADSIP
    -A TCPSIP -m string --string "iWar" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sip-scan" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sipcli" --algo bm -j BADSIP
    -A TCPSIP -m string --string "eyeBeam" --algo bm -j BADSIP
    -A TCPSIP -m string --string "VaxSIPUserAgent" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sip:nm@nm" --algo bm -j BADSIP
    -A TCPSIP -m string --string "sip:carol@chicago.com" --algo bm -j BADSIP
    -A UDPSIP -m string --string "sundayddr" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sipsak" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sipvicious" --algo bm --icase --to 1500 -j BADSIP
    -A UDPSIP -m string --string "friendly-scanner" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "iWar" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sip-scan" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sipcli" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "eyeBeam" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "VaxSIPUserAgent" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sip:nm@nm" --algo bm --to 1500 -j BADSIP
    -A UDPSIP -m string --string "sip:carol@chicago.com" --algo bm --to 1500 -j BADSIP
    -A BADSIP -m recent --set --name BADSIP -j DROP
    -A NEWSIP -m recent --set --name MYSIP -j ACCEPT
    COMMIT
    EOF
    echo "Installed! Now restarting iptables."
    iptables-restart
     
  4. WinstonPoppycock

    WinstonPoppycock New Member

    Joined:
    Sep 11, 2018
    Messages:
    2
    Likes Received:
    0
    Thanks! So this will make me 100% hack-proof, right? Awesome!

    (Obvious joke about it making me 100% hack-proof.)
     
  5. kyle95wm

    kyle95wm Phone Genius Owner

    Joined:
    Apr 16, 2016
    Messages:
    426
    Likes Received:
    81
    Yes, your server will be (for the most part) hack-proof. These are not really my iptables rules, but rather rules that someone else made. I would recommend reading the article to get a better explanation of these rules.
     
    phonebuff likes this.

Share This Page