This is no replacement for upgrading to the latest FusionPBX but I'm going to try and get this working on all my servers.
I'm just sharing a script I have been playing with that I believe is a great security enhancement.
Currently, only use this on a test box or if you are confident with FusionPBX.
Make sure you have account details for an extension if it is a new install BEFORE you run the script as it will lock you out of the GUI.
Also, grab the credentials of an existing extension if its not a new install.
If you run the script on an existing install, do a crontab -l first and make note of your cron entries if you have any as it will wipe them.
I'll fix this very soon.
So what does it do and what's it for?
What this does is block access to both the web interface and the normal sip ports 5060-5079 by default. This means your phones will fail to register. This also means Mr Hacker can not exploit any weaknesses.
What you need to do, using a spare line on your phone is to register the phone to port 8650 on the spare line, just use the same credentials as your regular extension.
Whats happening in the background is a Kamailio instance listens on this port and once you have authenticated to it, it whitelists your IP and allows access to the otherwise closed ports and the GUI.
A cron script will run at 3am that removes the whitelist and restores the default rules. This shouldn't block any existing connection as we have a RELATED/ESTABLISHED rule in iptables already. Your spare line registering to port 8650 will readd your IP to the whitelist. For testing you can leave the timer nice and low at 120 but there is no reason why this shouldn't work with 3600 or much more.
Going forward like Freeswitch's NLDB (No Device Left Behind), I would like to create a NSLB (No Subnet Left Behind) and try adding various other methods to open the ports. For example a web URL with an auth key or yealinks can call a URL when registration fails, we could use that too.
You should be using the latest IP tables rules that Fusionpbx currently installs.
Anyway, have a play and let me know what you think:
I'm just sharing a script I have been playing with that I believe is a great security enhancement.
Currently, only use this on a test box or if you are confident with FusionPBX.
Make sure you have account details for an extension if it is a new install BEFORE you run the script as it will lock you out of the GUI.
Also, grab the credentials of an existing extension if its not a new install.
If you run the script on an existing install, do a crontab -l first and make note of your cron entries if you have any as it will wipe them.
I'll fix this very soon.
So what does it do and what's it for?
What this does is block access to both the web interface and the normal sip ports 5060-5079 by default. This means your phones will fail to register. This also means Mr Hacker can not exploit any weaknesses.
What you need to do, using a spare line on your phone is to register the phone to port 8650 on the spare line, just use the same credentials as your regular extension.
Whats happening in the background is a Kamailio instance listens on this port and once you have authenticated to it, it whitelists your IP and allows access to the otherwise closed ports and the GUI.
A cron script will run at 3am that removes the whitelist and restores the default rules. This shouldn't block any existing connection as we have a RELATED/ESTABLISHED rule in iptables already. Your spare line registering to port 8650 will readd your IP to the whitelist. For testing you can leave the timer nice and low at 120 but there is no reason why this shouldn't work with 3600 or much more.
Going forward like Freeswitch's NLDB (No Device Left Behind), I would like to create a NSLB (No Subnet Left Behind) and try adding various other methods to open the ports. For example a web URL with an auth key or yealinks can call a URL when registration fails, we could use that too.
You should be using the latest IP tables rules that Fusionpbx currently installs.
Anyway, have a play and let me know what you think:
Code:
wget -O - https://gist.githubusercontent.com/DigiDaz/2c325684498075d486e883c82f76a317/raw/e6b95077868cf98c5101d1f0962d0bf191b94c47/install-whitelisting.sh | sh;
