DGG

Dynamic Good Guys Whitelist Firewall for Vicidial

License: Attribution-ShareAlike 3.0 Unported

= Lockdown in Preparation for Install =

ASSUMES STOCK VICIBOX INSTALLATION
Note: ALWAYS be sure that YOU can get into the server box in case you make a mistake!

Pre-Install Test = Start with a Fresh System Reboot

 * Verify access on port 80: http://www.megaproxy.com/freesurf/ (or any web-proxy service)
 * Enter the web page into the megaproxy service (don't forget to use in private browsing or some such). Verify that they can also get to the login page.
 * Purpose: When you start, both you and megaproxy can get in. When you finish, megaproxy will NOT be able to get to the page, but you will.

Activate Custom Firewall Hooks
nano +874 /etc/sysconfig/SuSEfirewall2

Change: FW_CUSTOMRULES="" To (move the #): FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
 * 1) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
 * 1) FW_CUSTOMRULES=""

Turn Off Ping
nano +730 /etc/sysconfig/SuSEfirewall2 change: FW_ALLOW_PING_FW="yes" to (yes to no): FW_ALLOW_PING_FW="no"

Close port 113
nano +415 /etc/sysconfig/SuSEfirewall2 change: FW_SERVICES_REJECT_EXT="0/0,tcp,113" to: FW_SERVICES_REJECT_EXT=""

Add Administrator Access using Custom Hooks
nano +51 /etc/sysconfig/scripts/SuSEfirewall2-custom in "fw_custom_before_port_handling" function add this above "true": iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT This is how it will look when you are done: iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT true Notes:
 * 1) ports before the SuSEfirewall2 generated rules are hit.
 * The line with "GOOD" is part of Dynamic Good Guys and IS required!
 * The line with "office.poundteam.com" is optional: Replace "office.poundteam.com" with your domain or IP address for PERMANENT remote access which will not be "accidentally" removed by anyone without ssh access. Multiple lines are possible (can all be left with #1, no need to increment). Also accepts subnet mask notation such as "128.15.27.0/24".

Allow Apache to add "Good Guys"
echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf


 * this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
 * OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
 * Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root

In Yast
yast firewall

Interfaces
Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.

Allowed Services

 * "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
 * Yes, I really want to delete the selected entry (enter to select yes)
 * "Alt-t" again for HTTPS and delete it as well.
 * DO NOT remove Secure Shell Server (that's SSH!!)

Advanced Services (inside Allowed Services)

 * "Alt-d" to select the Additional Allowed Ports popup
 * This section should have NO entries when you're finished!
 * "Tab" until you have highlighted the TCP Ports.
 * Backspace to delete the ports listed.
 * Add Port 81 to the TCP List IF you will want the Dynamic portion to use port 81 for remote access during self-allow IP addresses. (Below.)
 * "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
 * Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
 * "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
 * "Alt-N" for "Next" to accept changes made
 * "Alt-F" for "Finish" to accept changes made again
 * "Alt-Q" to quit and return to Command Line mode

Custom Rules (Back in yast firewall)

 * For adding CLIENT IP addresses and ranges ONLY those you intend to modify with ssh in the future. Leave this blank if you want to modify all allowed IPs via Dynamic Good Guys.
 * Dynamic Good Guys is ONLY for single IP addresses. This custom rules method can add IP ranges with appropriate subnet mask notation (such as "182.55.12.0/24")
 * Firewall Zone: External Zone
 * "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.
 * TCP is for web access
 * UDP is for Phone access
 * It is also possible to limit to individual ports UDP vs TCP! (If you want to be very technical for items such as mysql links.)

Save and exit and verify
iptables-save Verify that added IP addresses appear TWICE in "input_ext" ls /proc/net/xt_recent/GOOD -l Verify that file is world read/write (rwxrwcrwx)
 * "Alt-N" for "Next"
 * "Alt-F" for "Finish" (or just "Enter")

REBOOT and Verify Access
rcSuSEfirewall2 restart


 * http://www.megaproxy.com/freesurf
 * Enter the same web page into the megaproxy service. Verify that they can no longer get to the login page.

=Installation of Dynamic Good Guys=

*VICIBOX 6.0.X REQUIREMENT*
We have not yet updated SVN for Vicibox 6.0.x which runs on a later version of OpenSuSE with a later version of Apache. There is a new requirement that "Options" in apache .conf files must either ALL have a "+/-" or NONE may have them. Thus it is necessary to make these simple modifications in the offending files until we get a chance to update SVN. All files in /etc/apache2/vhosts.d/ that end in ".conf". Check for: Options -Indexes FollowSymLinks Add the +: Options -Indexes +FollowSymLinks

Back to install

 * Note: If all you wanted was a solid lockdown ... stop here. Dynamic Good Guys is only useful for easy addition of new IPs without requiring admin or user to access the CLI. If you're ok with accessing the CLI (and using yast firewall custom entries or modifying the above custom hooks file via nano or vi), you're done here.
 * Be sure you have the root mysql password before you begin! Blank is a valid password for this application (if you have no password for root mysql, that is.)

Main Install
mkdir -p /usr/src/poundteam cd /usr/src/poundteam rm dgg_install.sh wget http://www.poundteam.com/downloads/software/dgg_install.sh /bin/bash /usr/src/poundteam/dgg_install.sh

Continues with Mysql Install
At the beginning of the second stage, you will be asked for the mysql root pass: Enter root mysql password - blank if no password
 * Enter root pass to install db

Continues with apache configuration
Next we have the apache configuration: Enter FQDN or IP - whichever is used in URL - of this server for apache configuration:
 * Enter the FQDN or IP

At this point you will be presented with two DGG links.
Copy this information! It is easy to get now, but not so simple later unless you are very familiar with Linux.

An Example of such information is below: URL for Dynamic Good Guys Login: http://xxx.xxx.xxx.xxx:81/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php Modify regularly for security reasons. To modify: cp /srv/www/lockdown/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php /srv/www/lockdown/NEWNAME.php Be sure to replace 'NEWNAME' with an actual random new name, of course! URL for ADMIN to modify individual IPs: http://xxx.xxx.xxx.xxx/phpmysqlezedit/goodguys.php?access=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

NOTE: Port 81 must be opened in yast to allow access to the DGG page above.

Testing / Troubleshooting
nano /etc/apache2/listen.conf
 * If apache does not restart, check here for two or more entries at the bottom. (There should only be one instance of each entry, no dupes!)

Using the "URL for ADMIN to modify individual IPs"
Save a sample IP in the web page.

Test to make sure it saved in console: cat /proc/net/xt_recent/GOOD


 * NOTE: After installation, DO NOT use Yast Firewall ... Yast firewall deletes good guy entries upon saving/exiting from yast. Be sure to check all entries before final submission.
 * Yast firewall reset will not terminate existing "connections", but will not allow new ones.
 * If you must use Yast firewall, immediately add or remote a DGG entry as well to reinitialize the DGG system.

Using the "URL for Dynamic Good Guys Login"

 * 1) From an IP not presently authorized - although I would avoid a proxy service (Do you really want to give this link to a proxy server facility?)
 * 2) Surf to this link and you should be presented with a generic (vicidial) login screen
 * 3) With an authorized user/pass in the system you should then be redirected to the agent re-login screen.
 * 4) IF the user has a "phone" and "phone password" in their User entry, these will be pre-filled and the agent can then choose a campaign and log in.
 * 5) Verify that their IP address and user now show up in the "URL for ADMIN to modify individual IPs" with "temporary=Y".
 * 6) Temporary IPs are forgotten at reboot.