Whitelist

From ViciWiki.com
Jump to navigationJump to search

Stage One: Confirm Administrator Access Override

AKA: Be sure YOU can ALWAYS get into the box in case you make a mistake

Test - Start with a Freshly Rebooted Server

  • Verify access the server normally with web browser
    http://YourServerIP/vicidial/welcome.php
  • Enter the same web page into the megaproxy service (don't forget to use in private browsing or some such). Verify that they can also get to the login page. "HideMyAss.com" is another proxy service that can be used (any proxy service will do, as will an iPad or other tablet using non-local Wifi or 3G/4G signal access).
    http://www.megaproxy.com/freesurf/

Purpose: When you start, both you and the Proxy can get in. When you finish, The Proxy will NOT be able to get to the page, but you will.

Activate Custom Firewall Hooks

nano +874 /etc/sysconfig/SuSEfirewall2

change

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

to (move the #)

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
#FW_CUSTOMRULES=""

Turn off Ping

nano +730 /etc/sysconfig/SuSEfirewall2

change

FW_ALLOW_PING_FW="yes"

to (yes to no)

FW_ALLOW_PING_FW="no"

Turn off Auth port 113

nano +415 /etc/sysconfig/SuSEfirewall2

change

FW_SERVICES_REJECT_EXT="0/0,tcp,113"

to (clean out)

FW_SERVICES_REJECT_EXT=""


Turn off SourceQuench

nano +769 /etc/sysconfig/SuSEfirewall2

change

FW_ALLOW_FW_SOURCEQUENCH="" 

to (blank to no)

FW_ALLOW_FW_SOURCEQUENCH="no"

Add Administrator Access using Custom Hooks

nano +45 /etc/sysconfig/scripts/SuSEfirewall2-custom

in "fw_custom_before_port_handling()" function add this above "true":

iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT
iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT 
iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT 
iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
  • Substitute YOUR ip address

This is how it will look when you are done:

# ports before the SuSEfirewall2 generated rules are hit.
iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT
iptables -I INPUT 1 -s office2.poundteam.com -p all -j ACCEPT 
iptables -I INPUT 1 -s office3.poundteam.com -p all -j ACCEPT 
iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
true

Allow Apache to add "Good Guys"

Permissions issues!

echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
  • this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
  • OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
  • Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root

Deactive "Anyone" Services

In Yast

yast firewall

Interfaces

If you have more than one IP address / Network Card: Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.

Allowed Services

  • "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
  • Yes, I really want to delete the selected entry (enter to select yes)
  • "Alt-t" again for HTTPS and delete it as well.
  • DO NOT remove Secure Shell Server (that's SSH!!)
    Do not remove SSH from this list until you have verified that you have full access to the web page, but noone else does. Leaving ssh available during this process, until after full "whitelist" is confirmed, is the best way to be sure you don't lock yourself out!

Advanced Services (inside Allowed Services)

  • "Alt-d" to select the Additional Allowed Ports popup
  • This section should have NO entries when you're finished!
  • "Tab" until you have highlighted the TCP Ports.
  • Backspace to delete the ports listed.
  • "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
  • Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
  • "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
  • "Alt-N" for "Next" to accept changes made
  • "Alt-F" for "Finish" to accept changes made again
  • "Alt-Q" to quit and return to Command Line mode

Custom Rules

  • For adding CLIENT IP addresses and ranges, which are distinct from the "Company" IPs added directly in the conf files. This entry is for IP addresses such as roaming agents or new call centers. They can be easily removed without altering a conf file.
  • Firewall Zone: External Zone
  • "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.

Sample IP range:

72.72.67.0/24

Save and exit and verify

  • "Alt-N" for "Next"
  • "Alt-F" for "Finish" (or just "Enter")
iptables-save

Verify that the Company IP addresses appear first in "INPUT" and any client IP addresses appear TWICE in "input_ext"

  • Note: Domain Names will be translated to IP addresses automatically.
ls /proc/net/xt_recent/GOOD -l

Verify that file is world read/write (rwxrwcrwx)

REBOOT and Verify Access

rcSuSEfirewall2 restart


Poundteam Standard Installation Stops here

Troubleshooting

Connections still occurring for systems NOT in GoodGuy list

Concept:

When asterisk is monitoring an extension for round trip packet time (qualify=yes or qualify=100 for 100NS limit): Asterisk will create an internal database entry in /SIP/Registry for each phone. The internal database is persistent and will not be deleted by a reboot. Deleting phones from sip.conf will not delete these entries. Asterisk will load these entries to ?? and use the information to "ping" each of the sip phones in question (to check lag time) on a scheduled basis.

Conntrack (the iptables module that determines the "state" of a connection) will consider the "outbound" (and unregulated!) packet to be a "connection request" which means it is "established". Any returning packet on the same port from the same SIP phone will result in success, because that IP/Port is now "Established". Even though there is no sip phone in sip.conf and no listing in "Good Guys" for this system.

Solution

asterisk -rx "database deltree SIP/Registry"
  • Followed by a reboot.
  • After this, any phones added to that database will be fresh from the present sip.conf files
  • Remember that the qualify=yes only takes effect AFTER the SIP system knows the IP to reach the phone.
  • For an "Established" connection to be created from a static IP sip device, port 5060 must be pointed to that specific phone. Otherwise, you must create a good guy entry for the entire IP manually.

Note

Ordinarily this is not an issue, as anyone in the database should be a "friend", but if you are trying to cut off prior users of the system this may be a necessary step.