Just a bit of advice for those who have their Trixboxes on the internet.

good tip on the fail2ban Percy. I also like denyhosts

I looked into denyhosts as well, but fail2ban was infinitely more configurable (at least to me). It's also still actively developed (that was the clincher for me). While I will say that the fail2ban documentation really bites the big kahuna, the program seems to be pretty rock solid. I've since made it a staple of every *nix box I install and administer full-time. I do ask clients with existing installations if they would like it installed. It's a pity that some clients will turn down my offer with the comment, "I have a firewall".

-----------------------------------------------
Percy Kwong
www.swimminginthought.com

I've struggled to install fail2ban, for my last attempt I tried this

wget ftp://download.fedora.redhat.com/pub/fedora/linux/development/sou...

rpm -i fail2ban-0.8.3-16.fc10.src.rpm

but got this

[local.domain ~]# rpm -i fail2ban-0.8.3-16.fc10.src.rpm
warning: fail2ban-0.8.3-16.fc10.src.rpm: Header V3 DSA signature: NOKEY, key ID 0b86274e
error: cannot create %sourcedir /usr/src/redhat/SOURCES

is it ok to give up here, is it part installed or will it cause any trouble ?

.

Well I might as well rile things up. I certainly am not going to say don't secure things but I also think IT guys tend to get a bit too paranoid about it. All you really need is a strong root password and of course be behind a firewall. The most I would do is not allow root login from SSH so that they would have to get through 2 login prompts and find 2 passwords. Automatically banning IP's that try brute force multiple attempts is the absolute most I would ever do.

After that, if it makes usability/administration more difficult I won't do it. That is the trade off. Name one person who had a properly configured Asterisk box behind a firewall and a strong root password get hacked? Of course you will always see a lot of questionable traffic. It is always there and most of it is harmless. A lot of robots are always out there scanning. That's just the way it is. There really is no limit to how paranoid you can get and how much you can do to attempt to make it impossible to hack or justify your hourly rate or whatever. Yea, I know about all the paranoia articles about security. Look who is putting those out there. Security consultants and security software companies.

Case in point just look at the people above having problems installing that software. enabling iptables/selinux etc. which are notorious for creating usability problems with Asterisk/FreePBX is just another headache to deal with IMHO. That's just me and my opinion. Do whatever you want with your installs and if you can get more money out of the customer for doing it more power to you. I prefer sticking with the KISS principle. It's complicated enough just dealing with standard Asterisk/FreePBX stuff. I don't need to add more unnecessary complication.

There is a wiki article here

http://voip-info.org/wiki/index.php?page_id=5348

and some info in this thread

http://www.trixbox.org/forums/trixbox-forums/help/iptables-does-n...

theres just a little issue with the timestamps that needs sorting out for it to be perfect, then I'll write it up if no one else wants to, although to be fair the wiki article only needs a few tweaks and a couple of corrections.

This might be a good starting point. It maybe wants a few tweaks by someone with more knowledge than me, I think a few are in the wrong order at least. It has every port I can think might be needed, once its in place it is fairly simple for even a beginner (me) to edit using webmin, just delete the rules for whatever you don't need.

# Generated by iptables-save v1.3.5 on Sun Sep 21 03:11:00 2008
*nat
:PREROUTING ACCEPT [8:408]
:POSTROUTING ACCEPT [2:129]
:OUTPUT ACCEPT [2:129]
COMMIT
# Completed on Sun Sep 21 03:11:00 2008
# Generated by iptables-save v1.3.5 on Sun Sep 21 03:11:00 2008
*mangle
:PREROUTING ACCEPT [287:33378]
:INPUT ACCEPT [287:33378]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [288:38355]
:POSTROUTING ACCEPT [288:38355]
COMMIT
# Completed on Sun Sep 21 03:11:00 2008
# Generated by iptables-save v1.3.5 on Sun Sep 21 03:11:00 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
# Accept responses to pings
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Accept notifications of unreachable hosts
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
# Accept notifications to reduce sending speed
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
# Accept notifications of lost packets
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
# Accept notifications of protocol problems
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
# Allow connections to SSH server
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
# Allow connections to IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Allow connections to WEB server
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# Allow connections to SSH server
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Allow connections to Webmin server
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
# Allow connections to FOP server
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
# Allow connections to SIP server
-A INPUT -p udp -m udp --dport 5060:5061 -j ACCEPT
# Allow connections to RTP server
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
# Allow connections to IAX2 server
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
# Allow connections to IAX server
-A INPUT -p udp -m udp --dport 5036 -j ACCEPT
# Allow connections to MGCP server
-A INPUT -p udp -m udp --dport 2727 -j ACCEPT
# Allow all NTP records 
-A INPUT -p tcp -i eth0 --dport 123 -j ACCEPT
# Allow connections to HTTPS server
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow remote connections to WEBMIN server
-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
# Allow connections to ASTERISK MANAGER server
-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
# Allow connections to TFTP server
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
COMMIT
# Completed on Sun Sep 21 03:11:00 2008

Personally, I don't like having to write custom IPTABLES rules. And I know for some that this can be a daunting task. I know I also push the APF/BFD solution quite hard. To me, APF itself is easy to implement and there are zero rules that you have to create by hand. Not only that it is easy to customize using a single config file, supports spamhaus and other online rules grabbing. With that in mind I am going to see if I can get fail2ban to work with APF. BFD does a good job, and I have written a rule that is a drop in for asterisk. Been testing it here. However, I know there is strong movement for fail2ban use. So if I can get it to play nice then I will include it in my document that I wrote. I would still like someone to give the APF/BFD option a chance. I have a install script that you run and it grabs the most current and installs it. Pretty cut and dry. Only part you have to edit is the config file for APF and if you want the asterisk rule I will post it on engineertim.com.

I want to avoid a pissing match that this or that is better, security should be neutral and we all should be giving valid input. I would strongly recommend that everyone take a closer look at all of their installs. I personally have nagios, ossec, cacti, phplogcon, and some other magic, monitoring my systems. If so much as a checksum on a single file changes I get a email. If I have too many calls going out, I get a email and a graph sent to me. I will try and get this next document that includes these setups done in the coming weeks. Sooner if I can get the dedicated time to do it. In the meantime look at the doc I wrote, even if you don't implement the items I put in there you might be a little more informed if not surprised.

Thank you for your time,
Engineer Tim

Trixbox Engineer
http://engineertim.com

Its a phone system, not a firewall, not a router, not an edge device. We make no claims about it being any more secure than you would expect any out-of-the-box phone system to be. Unfortunately we are now being forced to address security because of the automated scripts that are out there now.

On the plus side, our trixbox Pro and PBXtra systems are not as vulnerable because the logins and passwords are based on MAC addresses and not extension numbers and potentially matching or easy to crack passwords. We are looking into this for the next endpoint manager to help protect systems even more.

The current issues we are seeing are tools like sipvicious that can scan a network for Asterisk systems, then you run another tool against that list to find a list of extensions, then a third tool to crack the extension passwords. Your system could be 100% secure but if you have UDP 5060 open for remote phones you can be hit by this.

Install fail2ban. Ive got it looking for failed registration attempts, 1 failed attempt and the IP is banned for 24 hours. Theres a post half way up this thread with some links, or Tim has a APF/BFD solution.

With numerous sites that support and encourage IP address cloaking, this would appear to be a big waste of both time and resources.

Not been attacked myself, but I do have the ultimate blacklist already, sorry cant share it with you as it will only be generated after the first failed login attempt.

Did find this while browsing around though http://deepliquid.com/blog/archives/19 it has 3 IPs mentioned

216.40.234.82
204.11.16.135
207.150.180.66

I agree with Ward though a blacklist may not be all that helpful and in my view is unnecessary if you use fail2ban or whatever.

Lets keep this in proportion, the problem is securing SIP extensions a simple enough job. Do we really need more firewalls, tools for configuring firewalls, spamhaus lists, our own list, etc. Security should not be the job of a PBX (as we often here) lets not take a sledgehammer to crack a nut.

My point was you only need to add fail2ban and the extensions are secured, job done.

Everything else is unnecessary and in my view a step too far.

Also, you are asking for lists of IP's from who? Do you know and trust ALL of your submitters so you don't inadvertently block some major site just because the submitter has a vendetta against them?