QUESTION using fail2ban and firewall on 3cx

[wa4zlw]

I've got 3cx running but I'd like to get fail2ban and something similar to the firewall on Incredible or freepbx

anyone have any ideas?

THanks

 

[David Foxworth]

Here are the rules that I use on my 3CX PBX:

# Generated by iptables-save v1.4.21 on Wed Sep 27 20:30:27 2017
*mangle
:PREROUTING ACCEPT [441:25939]
:INPUT ACCEPT [441:25939]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [271:103110]
:POSTROUTING ACCEPT [271:103110]
-A OUTPUT -p udp -j DSCP --set-dscp-class EF
COMMIT
# Completed on Wed Sep 27 20:30:27 2017
# Generated by iptables-save v1.4.21 on Wed Sep 27 20:30:27 2017
*nat
:PREROUTING ACCEPT [63:2364]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:118]
:POSTROUTING ACCEPT [1:118]
COMMIT
# Completed on Wed Sep 27 20:30:27 2017
# Generated by iptables-save v1.4.21 on Wed Sep 27 20:30:27 2017
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [271:103110]
:LOG_DROP - [0:0]
-A INPUT -m set --match-set blacklist src -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -s 100.64.0.0/10 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 192.0.0.0/24 -j DROP
-A INPUT -s 192.0.2.0/24 -j DROP
-A INPUT -s 192.168.0.0/16 -j DROP
-A INPUT -s 198.18.0.0/15 -j DROP
-A INPUT -s 198.51.100.0/24 -j DROP
-A INPUT -s 203.0.113.0/24 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/4 -j DROP
-A INPUT -s 255.255.255.255/32 -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A INPUT -p udp -m length --length 0:28 -j DROP
-A INPUT -p tcp -m geoip --source-country DE,US  -m tcp --dport 5001 -j ACCEPT
-A INPUT -p tcp -m geoip --source-country DE,US  -m tcp --dport 5090 -j ACCEPT
-A INPUT -p udp -m geoip --source-country DE,US  -m udp --dport 5090 -j ACCEPT
-A INPUT -p udp -s <IP of Asterisk Server> -m udp --dport 5060 -j ACCEPT
-A INPUT -s <Home IP Address> -j ACCEPT
-A INPUT -j DROP
-A LOG_DROP -j LOG --log-prefix "Firewall blocked: "
-A LOG_DROP -j DROP
COMMIT
# Completed on Wed Sep 27 20:30:27 2017

A little explanation, this line `-A INPUT -m set --match-set blacklist src -j DROP` utilizes ipsets to establish a list of known bad sites, I use the fire_hol blacklist. So right away, I drop any of the IP's or subnets in that list.

Secondly, I use GeoIP matching, so I only open the 3CX port (5001, 5090) to the countries of US and Germany. This helps to cut down on the attack surface, and given that anyone using my 3CX would be in the US or Germany, this works for me. You might have to customize for your particular use.

Most of the rest of those rules are blocking bogon address and certain bad combinations of TCP flags.

Then I have a bridge set up to an Asterisk server, so I opened the SIP port to the Asterisk server. Then the <Home IP Address> is allowed through, as that is my IP address at home. This makes sure to allow me through from my home.

I don't think fail2ban is necessary, as 3CX has its own built in security.

So basically, I deny everything, only allowing through certain ports or IP addresses. And on the ports that I open up, I restrict those to certain Geo locations.

Hope this helps...

 

[ajonate]

I've got 3cx running but I'd like to get fail2ban and something similar to the firewall on Incredible or freepbx

anyone have any ideas?

THanks

Yes, there's a free product called Brute Force Detection (bfd) that performs a similar function as fail2ban. The difference is that bfd doesn't run as a daemon, or even as a service. Instead, cron is configured to invoke bfd every 3 minutes. When bfd runs it inspects certain log files for failed authentications, then bans an ip address if it exceeds a set number (I set it at 15). One really nice feature is that bfd comes pre-configured to inspect asterisk log files, as well as many other applications. You can also have email alerts from bfd to send you alerts when an ip address is banned. Download it here for free.

https://www.rfxn.com/

They also have a free firewall product called Advance Policy Firewall (apf), which works along with iptables to add features usually found only in hardware firewalls. Apf can subscribe to real-time blacklists, set selected ports as higher priority, and monitor for certain behaviors typically seen with intrusions. I never run iptables in my servers without apf. I find apf much easier to configure than iptables alone. I can see how iptables, alone, works fine for restricting access by ip address, but I don't have that luxury.

Ward reminds us in various ways that we should run pbx servers behind a hardware firewall, and that's good advice. But it's not always possible. Of course there's no way to do that in cloud deployments. Running apf is an acceptable substitute for a hardware firewall.