IPTABLES does not save

I usually put my iptables rules at /etc/sysconfig/iptables then issue the command service iptables start, I also keep a backup of it on a separate file just in case and as a template for any new systems.

I still cannot get it to save my rules, so I tried to install Webmin, but I don't see it under Packages and yum cannot find it. Anyone with a suggestion? We can I find the script that might be rewritting it every few minutes? I thought it would be in crontabs, but I don't see it.
Thanks again.

Put the box behind a firewall and limit it to only the IP's that should be getting to it. Let some other box do the security and take the load off the PBX.

Why have two firewalls running then? If you have a good firewall in front of the system then you dont need another one on the PBX. You say its easy (if you can get it working) and a lot of people are really struggling with it and we are certainly not experts on it. Any basic firewall is going to be able to block the IP that those requests are coming from and only allow the actual allowed IPs to come through. There are also other solutions like VPN's so that you never have to expose the system to the open internet. For people with softphones, simply use Hamachi and your problems are basically solved. For hardphones you would need a point to point VPN.

If thousands of people are suffering with this why are there only a few that are posting about it? Can we assume that they know how to use a firewall and VPN solutions? No other distro that I know of has firewall setup tools in it because it should a) not be an edge device and b) there are much better firewall tools than IPtables and fail2ban that can be put it front of it.

There is nothing stopping anyone from creating a trixbox ce module that does what you want if its that simple. If someone did that I would certainly consider adding it to the repo for people who want it.

To 3vian.

I had the same issues, the OS of trixbox is not hardened to be a that of a firewall so although IP tables do help they may not help you sleep easier at night.
Also, especially if you are running a dynamic environment it is very hard to pinpoint exact IP address incomming changes.
So instead of fiddling with IP tables on a soft OS I downloaded and installed a Linux based firewall and only opened UDP 5060 SIP inbound.
I had a bit of difficulty trying to find a few good firewalls out there that understood SIP but I eventually found one.
I am in no way trying to advertise direct or indirect for any paticular company or product but I found Endian worked the charm.

Hope this helps.

I think we are getting a little off-topic. I figured out my problem, it was to do with APF and BFD flushing iptables, so I removed them and their cron jobs. I would normally have a IPSec VPN hardware router in front of my trixbox server, but this a VPS and the virtualization software does not currently support IPSec yet. I'm considering getting rid of the VPS and going back to an on-site hardware solution because of these security issues.

A VPN solution also removes any NAT issues, which I'm currently having with my Cisco 7970s and 60s. I think my solution will be to build a low-power hardware solution and put it behind my hardware VPN. I already have hardware VPNs for each of my 4 remote locations so this should work well.

Everyone seems to forget that this is a community project. If this is so feature is so important than why doesn't someone get it to work and contribute the configuration? I am sure that Fonality would be glad to include it in the distribution.

I take a simple view, the logo on top of the page says "The Open Platform for Business Telephone" (emphasis added). It is assumed businesses know how to secure application servers.

For me it's that basic.

So far none of of the professional integrators have had a problem with compromised systems. I don't look to other people to solve my problems for me. There is an entire kit of tools at your disposal, not using them is a choice of the user and they suffer the consequences.

Harsh, probably.....

Scott,
--------->>>So far none of of the professional integrators have had a problem with compromised systems

Um..well I spent three days last week setting up new boxes from bare metal from one such "professional integrator" he has over 30 customers
we found three of his boxes where "hacked", it was easy as he had given "public" access to FOP so half the battle was lost before he got out of the gate.

He was sure it was a flaw in trixbox, until I showed him how easy it is to "guess" his pin numbers for the extens in FOP, it took maybe 10 mins to get into freepbx.
This is someone who KNEW better, if his boxes where windows he would have been more careful, but he had that mindset "Hey it is linux, no one can hack it".
In his 10 years in telco biz he said no one hacked any of his PBX / KSU boxes and he never expected it to happen.

I installed Hamachi on all his builds now and he is talking to his customer base about how they select passwords / pin numbers

He got a VERY expensive lesson in common sense, he not only had to pay me a ton of money to work 20 hrs a day but he still has not gotten the total mins used together (over 50,000 on two boxes, some to the gulf area... OUCH...)
He is afraid that if he tells the FEDS he will get popped for non-calea compat. and the news hits the street and all his customers will be hollering for his head.

just a little hint for all you out there swapping 1's for I and 3 for E's for a common word / phase IS NOT a secure password, and using your exten even if it is backwards, well you guessed it...it is just DUMB....

From the sound of it, fail2ban would seem like a very useful tool. I'm personally going to look into it, but I don't think I have the skills necessary to help the community with integration.

I currently have my SIP port open because of remote phones and to allow anonymous calls via ENUM and because my DID simply forwards the calls to a specified SIP address.

I just got off the line with his "network admin" which some guy who built his computers; turns out that EVERY box (windos and Linux) in his office network is also infected in some way.

he has been fighting the email SPAM blacklisting for the past few weeks..his email server was sending out over 20,000 email messages each day, (small 20 person office) his windows boxes all have movie files on them, we assume they are out there for downloading.

His bandwidth bill was way over his limit last month, first time in three years...many things which should have had them looking at the logs, but instead they just pushed it aside. LAZY network admin comes to mind....

So his question is did they come in via Windos or did they come in via linux???? Did it spread via his office network to the DC or from DC to his office network.

As someone in the office has used the windows server to surf the web and had installed VNC with a VERY weak password without a RCkey it will hard to track down the entry point (s) it could very well be one of the warez downloads started the whole mess

Anyone want over 60 gigs of movies??? he has the "Hunk" and "Ironman" rips....
I am joking here folks..I have already deleted the files

And Scott I know I made out on this one for $ure...got another good 20 ~25 hrs of billable time coming and it will be easy money...
;~)

He will be adding $ 50,000.00 grand to his IT budget to hire a REAL network admin.

You can never really be secure, you can have that feeling of being secure, but if you can get out, someone can get in.
You must lock every door and check it each day to make sure it is still locked.

That is useful for those who have to open SIP up to the Internet. Not as cool using OpenSBC the correct RFC compliant method for doing session control.

I created a rule that seems to work with BFD/APF. This goes into /usr/local/bfd/rules I called mine asterisk. Be sure to set the TRIG value to something you are comfortable with. Please let me know if there is something other than Wrong password I should capture and I can write more rules. The reason I use APF/BFD over faile2ban is that the APF portion is a pretty good firewall that can do amazing things, add in BFD and you got something that anyone can setup in minutes. For those that do not want to learn iptables, then APF is cake. Again, YMMV.

# failed logins from a single address before ban
# uncomment to override conf.bfd trig value
TRIG="1"

# file must exist for rule to be active
REQ="/usr/sbin/asterisk"

if [ -f "$REQ" ]; then
LP="/var/log/asterisk/full"
TLOG_TF="asterisk"
TMP="/usr/local/bfd/tmp"

## ASTERISK
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Wrong password" /var/log/asterisk/full | awk '{NF=NF-3} { print $NF}'| tr -d '\'\' `
fi

Thank you,
Engineer Tim
Trixbox Engineer
http://engineertim.com

Yes, got it to work 100%

here is sendmail confirmation and my softphones timeout on registration for the appointed ban period in staging environment.
Lets hope Fonality don't remove python iptables :-) from repository.

"Hi,

The IP 192.168.0.12 has just been banned by Fail2Ban after
3 attempts against ASTERISK.

Here are more information about 192.168.0.12:

Regards,

Fail2Ban"

Read this links carefully and slowly and apply it!
http://voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

If anyone uses IAX they might want to add this

NOTICE.* .*: Host failed MD5 authentication for '.*' (.*)

to the failedregex.