FusionPBX Event Guard profiles

Status
Not open for further replies.
Aryn Nakaoka

Aryn Nakaoka

New Member
Oct 11, 2017
21
0
1
Hawaii
www.alohatone.com
Is there a list of FusionPBX event guard profiles? sip-auth-ip is the only one I've seen thus far. I am wondering if there is blocking on ssh and http as well. I am assuming so since having unlimited attempts at ssh could be an issue.
 
whut

whut

Member
Dec 23, 2022
228
22
18
Best I know of is to look at the event guard filter dropdown or dig into the PHP. It only blocks 2 or 3 profiles. Definitely NOT blocking ssh and http. I am leaving all fail2ban jails enabled in case event guard is not enabled or not working correctly.
 
Aryn Nakaoka

Aryn Nakaoka

New Member
Oct 11, 2017
21
0
1
Hawaii
www.alohatone.com
whut said:
Best I know of is to look at the event guard filter dropdown or dig into the PHP. It only blocks 2 or 3 profiles. Definitely NOT blocking ssh and http. I am leaving all fail2ban jails enabled in case event guard is not enabled or not working correctly.
Click to expand...

We were told by Mark that event guard does block HTTP & SSH. So we are going to try it out. Event guard will allow 5060-5091 and watch those ports for failed registrations. Everything else will have to be whitelisted.

Only downside we have now is that dynamic IP clients can't get to the HTTP interface to fax... Or we setup a VPN or Proxy so the clients come from a static IP address which can be white listed.
 
whut

whut

Member
Dec 23, 2022
228
22
18
@Aryn Nakaoka I do not believe event guard is blocking http and ssh. I could be wrong, but here are my few evidences of varying degrees for you to see where I am coming from.

1. event guard filter dropdown is IP and Auth only (sip-auth-ip and sip-auth-fail)
2. the code is only picking up these 2 chains
Code: 
if ($firewall == 'iptables') {
        //create a chain array
        $chains[] = 'sip-auth-ip';
        $chains[] = 'sip-auth-fail';
3. default settings -> User -> find_time and max_retry variables existed before event guard. They control blocking gui login failed attempts.
4. jail.local install script has ssh, nginx-404, nginx-dos jails enabled https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/fail2ban/jail.local

If your users are trying to log into the GUI and they have registered phones at that same IP address then they should not be blocked. Event guard does not block or blacklist IP addresses that have current and valid phone registrations. I do not think you will need a VPN for your DHCP customers trying to log into the gui. If you very strict firewall rules you may want to reduce the https/http restrictions.

I used to get a new public IP address from my previous ISP very frequently. To combat this I put a script on a raspberry pi or other device at home which would update a DNS record on 15 minute intervals. I whitelisted my DNS record so I could not get blocked. There are a few free and paid services for this. You may be able to script to work in other ways like on a router too. Probably not a viable solution for all of your DHCP customers, but simply mentioning for ideas.

Since event guard being available you can now create access control lists for any group you would like - customers, trunking pbx, and so on.
 
Aryn Nakaoka

Aryn Nakaoka

New Member
Oct 11, 2017
21
0
1
Hawaii
www.alohatone.com
whut said:
@Aryn Nakaoka I do not believe event guard is blocking http and ssh. I could be wrong, but here are my few evidences of varying degrees for you to see where I am coming from.

1. event guard filter dropdown is IP and Auth only (sip-auth-ip and sip-auth-fail)
2. the code is only picking up these 2 chains
Code: 
if ($firewall == 'iptables') {
        //create a chain array
        $chains[] = 'sip-auth-ip';
        $chains[] = 'sip-auth-fail';
3. default settings -> User -> find_time and max_retry variables existed before event guard. They control blocking gui login failed attempts.
4. jail.local install script has ssh, nginx-404, nginx-dos jails enabled https://github.com/fusionpbx/fusionpbx-install.sh/blob/master/debian/resources/fail2ban/jail.local

If your users are trying to log into the GUI and they have registered phones at that same IP address then they should not be blocked. Event guard does not block or blacklist IP addresses that have current and valid phone registrations. I do not think you will need a VPN for your DHCP customers trying to log into the gui. If you very strict firewall rules you may want to reduce the https/http restrictions.

I used to get a new public IP address from my previous ISP very frequently. To combat this I put a script on a raspberry pi or other device at home which would update a DNS record on 15 minute intervals. I whitelisted my DNS record so I could not get blocked. There are a few free and paid services for this. You may be able to script to work in other ways like on a router too. Probably not a viable solution for all of your DHCP customers, but simply mentioning for ideas.

Since event guard being available you can now create access control lists for any group you would like - customers, trunking pbx, and so on.
Click to expand...

We currently use IPTables with dyn name updates to allow http when needed. However we wanted to go 100% Event guard but event guard doesn't allow for FQDN , only IP Addresses, so we have to to test and work around it.
 
whut

whut

Member
Dec 23, 2022
228
22
18
I would not stop using fail2ban. FQDNs work well with fail2ban.There are too many jails that event guard does not cover.
Hopefully FQDNs functionality will be added.
 
J

Jonathan Black

Member
Jan 9, 2018
152
16
18
54
whut said:
I would not stop using fail2ban. FQDNs work well with fail2ban.There are too many jails that event guard does not cover.
Hopefully FQDNs functionality will be added.
Click to expand...
@whut,
That squares with my understanding from Mark about the intent of Event Guard. It's intended use is specifically for protecting Freeswitch-related traffic. It's NOT intended to cover HTTP or SSH, so part of the install of Event Guard is to disable the specific jails in Fail2ban that would duplicate functionality but not to disable Fail2ban entirely. So on a fairly new install, I have only the following jails disabled in Fail2ban (in jail.local):
freeswitch
freeswitch-acl
freeswitch-ip
auth-challenge-ip
sip-auth-challenge
sip-auth-failure
fusionpbx-404
 
whut

whut

Member
Dec 23, 2022
228
22
18
That list looks correct to me @Jonathan Black . But I have chosen to keep the jails enabled. I had issues where event guard enabled was not logging anything for a few months. I had the issue on multiple servers at different times so it was not isolated to one server. It is not duplicating the effort should f2b or eg be disabled or not correctly blocking.
 
J

Jonathan Black

Member
Jan 9, 2018
152
16
18
54
whut said:
That list looks correct to me @Jonathan Black . But I have chosen to keep the jails enabled. I had issues where event guard enabled was not logging anything for a few months. I had the issue on multiple servers at different times so it was not isolated to one server. It is not duplicating the effort should f2b or eg be disabled or not correctly blocking.
Click to expand...
Early on I experienced something similar. But with recent updates to event guard, it’s been better. The problems with running both are that Fail2ban seems to have more overhead but worse, you would still have the issue where Fail2ban bans your customer’s ip for one phone even though other phones are registered, thereby taking that customer completely offline. Event guard is built to avoid that.
As with most things, your mileage may vary.
 
Status
Not open for further replies.
Top Bottom