DGG

From ViciWiki
Jump to: navigation, search

Dynamic Good Guys -- Whitelist Firewall for Vicidial

License: Attribution-ShareAlike 3.0 Unported

Lockdown in Preparation for Install

ASSUMES STOCK VICIBOX INSTALLATION

Note: ALWAYS be sure that YOU can get into the server box in case you make a mistake!

Pre-Install Test = Start with a Fresh System Reboot

  • Verify access on port 80: http://www.megaproxy.com/freesurf/ (or any web-proxy service, or using wget from the CLI of another linux server)
  • Enter the web page into the proxy service (don't forget to use in private browsing or some such to avoid cache). Verify that they can also get to the login page.
  • Purpose: When you start, both you and any proxy can get in. When you finish, the proxy will NOT be able to get to the page, but you will as an "authorized IP".

Activate Custom Firewall Hooks

  • No longer required in Vicibox 7.0 (they did it for you).
nano +874 /etc/sysconfig/SuSEfirewall2

Change:

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

To (move the #):

FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
#FW_CUSTOMRULES=""

Turn Off Ping

nano +730 /etc/sysconfig/SuSEfirewall2

change:

FW_ALLOW_PING_FW="yes"

to (yes to no):

FW_ALLOW_PING_FW="no"

Close port 113

nano +415 /etc/sysconfig/SuSEfirewall2

change:

FW_SERVICES_REJECT_EXT="0/0,tcp,113"

to:

FW_SERVICES_REJECT_EXT=""

Turn off ICMP Sourcequench

nano +775 /etc/sysconfig/SuSEfirewall2

Change:

FW_ALLOW_FW_SOURCEQUENCH="no"

Add Administrator Access using Custom Hooks

nano +51 /etc/sysconfig/scripts/SuSEfirewall2-custom

in "fw_custom_before_port_handling()" function add this above "true":

 iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT
 iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT

This is how it will look when you are done:

# ports before the SuSEfirewall2 generated rules are hit.
iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT
iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
true

Notes:

  • The line with "GOOD" is part of Dynamic Good Guys and IS required!
  • The line with "office.poundteam.com" is optional: Replace "office.poundteam.com" with your domain or IP address for PERMANENT remote access which will not be "accidentally" removed by anyone without ssh access. Multiple lines are possible (can all be left with #1, no need to increment). Also accepts subnet mask notation such as "128.15.27.0/24".

Allow Apache to add "Good Guys"

echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
  • this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
  • OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
  • Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root

Close Stock Vicibox Firewall Holes

In Yast

yast firewall

Interfaces

Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.

Allowed Services

  • "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
  • Yes, I really want to delete the selected entry (enter to select yes)
  • "Alt-t" again for HTTPS and delete it as well.
  • DO NOT remove Secure Shell Server (that's SSH!!)

Advanced Services (inside Allowed Services)

  • "Alt-d" to select the Additional Allowed Ports popup
  • This section should have NO entries when you're finished!
  • "Tab" until you have highlighted the TCP Ports.
  • Backspace to delete the ports listed.
  • Add Port 81 to the TCP List IF you will want the Dynamic portion to use port 81 for remote access during self-allow IP addresses. (Below.)
  • "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
  • Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
  • "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
  • "Alt-N" for "Next" to accept changes made
  • "Alt-F" for "Finish" to accept changes made again
  • "Alt-Q" to quit and return to Command Line mode

Custom Rules (Back in yast firewall)

  • For adding CLIENT IP addresses and ranges ONLY those you intend to modify with ssh in the future. Leave this blank if you want to modify all allowed IPs via Dynamic Good Guys.
  • Dynamic Good Guys is ONLY for single IP addresses. This custom rules method can add IP ranges with appropriate subnet mask notation (such as "182.55.12.0/24")
  • Firewall Zone: External Zone
  • "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.
    • TCP is for web access
    • UDP is for Phone access
    • It is also possible to limit to individual ports UDP vs TCP! (If you want to be very technical for items such as mysql links.)

Save and exit and verify

  • "Alt-N" for "Next"
  • "Alt-F" for "Finish" (or just "Enter")
iptables-save

Verify that added IP addresses in "Custom" pane of yast firewall appear TWICE in "input_ext" (once for TCP and once for UDP)

ls /proc/net/xt_recent/GOOD -l

Verify that file is world read/write (rwxrwcrwx)

REBOOT and Verify Access

rcSuSEfirewall2 restart

Installation of Dynamic Good Guys

*Upgraded for Vicibox 7.0*

We upgraded DGG to be compatible with Vicibox 7.0 apache requirements.

*Upgraded for Encrypted Passwords*

DGG will now work with Vicidial's encrypted password method.

Back to install

  • Note: If all you wanted was a solid lockdown ... stop here. Dynamic Good Guys is only useful for easy addition of new IPs without requiring admin or user to access the CLI. If you're ok with accessing the CLI (and using yast firewall custom entries or modifying the above custom hooks file via nano or vi), you're done here.
  • Be sure you have the root mysql password before you begin! Blank is a valid password for this application (if you have no password for root mysql, that is.)

Main Install

mkdir -p /usr/src/poundteam
cd /usr/src/poundteam
rm dgg_install.sh
wget http://www.poundteam.com/downloads/software/dgg_install.sh
/bin/bash /usr/src/poundteam/dgg_install.sh

Continues with Mysql Install

At the beginning of the second stage, you will be asked for the mysql root pass:

Enter root mysql password - blank if no password
  • Enter root pass to install db

Continues with apache configuration

Next we have the apache configuration:

Enter FQDN or IP - whichever is used in URL - of this server for apache configuration:
  • Enter the FQDN or IP

At this point you will be presented with two DGG links.

Copy this information! It is easy to get now, but not so simple later unless you are very familiar with Linux.

An Example of such information is below:

URL for Dynamic Good Guys Login:
    http://xxx.xxx.xxx.xxx:81/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php
Modify regularly for security reasons. To modify:
    cp /srv/www/lockdown/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php /srv/www/lockdown/NEWNAME.php
Be sure to replace 'NEWNAME' with an actual random new name, of course!
URL for ADMIN to modify individual IPs:
    http://xxx.xxx.xxx.xxx/phpmysqlezedit/goodguys.php?access=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 NOTE: Port 81 must be opened in yast to allow access to the DGG page above.

Example Authorized IPs listing

DGG Authorized IPs Interface.jpg

Example Add IP form

DGG Add Authorized IP.jpg

Testing / Troubleshooting

  • If apache does not restart, check here for two or more entries at the bottom. (There should only be one instance of each entry, no dupes!)
nano /etc/apache2/listen.conf

Using the "URL for ADMIN to modify individual IPs"

Save a sample IP in the web page.

Test to make sure it saved in console:

cat /proc/net/xt_recent/GOOD
  • NOTE: After installation, DO NOT use Yast Firewall ... Yast firewall deletes good guy entries upon saving/exiting from yast. Be sure to check all entries before final submission.
  • Yast firewall reset will not terminate existing "connections", but will not allow new ones.
  • If you must use Yast firewall, immediately add or remote a DGG entry as well to reinitialize the DGG system.

Using the "URL for Dynamic Good Guys Login"

  1. From an IP not presently authorized - although I would avoid a proxy service (Do you really want to give this link to a proxy server facility?)
  2. Surf to this link and you should be presented with a generic (vicidial) login screen
  3. With an authorized user/pass in the system you should then be redirected to the agent re-login screen.
  4. IF the user has a "phone" and "phone password" in their User entry, these will be pre-filled and the agent can then choose a campaign and log in.
  5. Verify that their IP address and user now show up in the "URL for ADMIN to modify individual IPs" with "temporary=Y".
  6. Temporary IPs are forgotten at reboot.

Extra Troubleshooting

Authorize IP Ranges

The DGG system will (at present) only authorize individual IP addresses. To add an IP Range instead ...

  1. Check existing configuration for later comparison: "iptables-save" will spill your present firewall settings to the console.
  2. "cat /proc/net/xt_recent/GOOD" will spill your present Good Guys list to the console.
  3. yast firewall
  4. Left Pane: Custom Rules
  5. "Alt-A" to "[Add]"
    1. Source Network: (this is where you put the IP range, such as "71.122.99.0/24" using CIDR notation)
    2. Protocol: UDP (for SIP access ... TCP for Web/Database/SSH ... TWO Entries if you require both)
    3. Destination/Source/Additional can all be left blank for the simplest method. It is possible to use these to strictly limit access, of course).
    4. "Alt-A" again to finish.
  6. Repeat as necessary until your list is complete. When your list is complete ..
  7. At this stage, it is best to bring up your "Dynamic Good Guys IP editor". Have it ready to hit "submit" on an entry (no need to change the entry).
  8. "Alt-N" for [Next]
  9. "Alt-F" for [Finish]
  10. Immediately "Submit" on the DGG IP editor page to re-register those Good IPs (they will be erased when you "Finish" on the line above).
  11. To validate: "iptables-save" will spill your new settings.
  12. "cat /proc/net/xt_recent/GOOD" will spill your new Good Guys list to the console.