TUTORIAL Alternative to Travelin' Man 3 Firewall

[kyle95wm]

Okay, don't get me wrong. The firewall @wardmundy created is fantastic. But what if people don't want to be bothered with whitelisting IPs, FQDNs or worried about PortKnocker?

Below is a iptables file that I've been using for a good two weeks now. This should probably be used in larger deployments. What this will do is:
- Block the bad guys
- Only allow SIP registrations when people use your FQDN
- Blocks other attacks
- Close the web ports (you can open them to your IP only if you wish)

These are the rules

 

[mainenotarynet]

Looks OK but the 80/443 would need to be open for Issabel4 because that is touted as a Unified communications platform and if you have remote users (reason for TravelinMan 3 in the first place) then they may be able to register their sip extension but do nothing else and Issabel forces https (443) anyways.

You forgot goodguy VOIP provider section - They won't 'register' with your fqdn.

Nice looking though.

 

[kyle95wm]

Well that could easily be fixed. I could replace the above code block with a paste link to a version with the "trusted providers" included. For me, I haven't needed those, not for voipms anhwwys.

Edit: yeah I could have 80/443 opened by default. This is the case for https://admin.dev.phonegenius.ca and it's using a trusted certificate.

 

[kyle95wm]

Updated first post

 

[dicko]

As a "replacement", you might want to look at

https://configserver.com/cp/csf.html

it is flexible and dynamic, it works well with fail2ban/your iptables assumptions, has a huge number of other IDS mechanisms and has a html/cellphone interface to manage problematic attempts to connect.

In my personal experience, your "travelling man" as a wetware unit will have no knowledge of his external IP, a webpage that pushes the discovered new IP (from innumerable sources) back to the server might be efficient. to update iptables to accept that ip and verify the PIN.
https://yourserver/yourverificationpage, so the training is to tell the "wet guy" to goto that page, you as the maestro will add that to your ipset

As an expedient you should add the derived network to the allowed list, not just the host, that would cover every dynamic cable/dsl/ISP client that is subject to a somewhat random DHCP address assignment. I have a recipe to do that if anyone is interested

 

[wardmundy]

Just as an FYI, be advised that AsteriDex and Telephone Reminders have no password mechanism to protect their web interfaces so you'd have to address that with .htaccess. I've also never had much confidence in the FreePBX password protection. You can look up the vulnerabilities for yourself.

 

[kyle95wm]

Just as an FYI, be advised that AsteriDex and Telephone Reminders have no password mechanism to protect their web interfaces so you'd have to address that with .htaccess. I've also never had much confidence in the FreePBX password protection. You can look up the vulnerabilities for yourself.

Hmm never thought of that. I mostly intended this for Wazo, since that seems to be my main platform of choice. I do miss the Privacy Manager and faxing capabilities that came with IPBX for the FPBX GUI. I know Isabel 4 is all the rave, but I see no multi-tenant feature for that. That's why I choose Wazo.