View Source

Introduction

Security at PBX level has always been a big thing to deal with, but with some opensource tools you can try to make it easier and simple to manage.

Tested with:

PBX Version:15.0.17.37
PBX Distro:12.7.8-2107-3.sng7
Asterisk Version:18.3.0

Components

What we are using here are:

Firewall Custom Rules
iptables xtables-addon

Warning - Unsupported Code here!

While xtables-addon is a "standard" linux package, it was not intended as part of the FreePBX/PBXact project. You should be aware that installing not tested software can create issues and/or break normal software behaviour. Use at your own risk!

How To

we need to install some opensource components and to put some lines of configuration in Firewall Custom Rules module.

xtables-addon

Install dependencies

yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget

Download, extract and install xtables-addons

cd /tmp/
wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.14.tar.xz
tar -xvf xtables-addons-2.14.tar.xz
 
ln -s /usr/src/kernels/`uname -r`/ /lib/modules/`uname -r`/build
 
./configure
sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild
make && make install
 
 
modprobe xt_geoip

Dealing with GeoIP

mkdir /usr/share/xt_geoip/
 
 
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

Automatically update GeoIP database

Just put in the cron file this line and tune according with your needs: DB It's rebuilt every Sunday at 04:00 CST

30 23 * * * wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

Firewall Custom Rules

Now that we have the module installed and ready to go, we need to setup our Custom Rules on PBXact's Firewall

Go to Modules→Firewall

PBX GUI > PBX GUI - Securing FreePBX/PBXact with GeoIP module > Screen Shot 2021-08-19 at 15.34.17.jpg

Choose Advanced in the pop-up menu on the right

PBX GUI > PBX GUI - Securing FreePBX/PBXact with GeoIP module > Screen Shot 2021-08-19 at 15.35.16.jpg

Navigate to the tab named "Advanced Settings" and under the section "Custom Firewall Rules" set the toggle button to "Enabled"

PBX GUI > PBX GUI - Securing FreePBX/PBXact with GeoIP module > Screen Shot 2021-08-19 at 15.36.07.jpg

Time to put in your rules!

Move to the tab called "Advanced Custom Rules"

PBXact firewall has many different sections where you can act and put your new defined custom rules. In my case, I'm appending my rules to the list present in the Module → Firewall / Networks tab.

With these 2 rules, I can block all traffic coming from outside Italy and United States or IT,US countries

-A fpbxinterfaces -m geoip ! --src-cc IT,US -j LOG
-A fpbxinterfaces -m geoip ! --src-cc IT,US -j DROP

your webpage will look like

PBX GUI > PBX GUI - Securing FreePBX/PBXact with GeoIP module > Screen Shot 2021-08-19 at 15.43.14.jpg

"Save and Apply" and you are done.

Hints

If you wish to use GeoIP

to control and/or block requests coming from outside Italy and United States directed to your SIP UDP PORT 5060, the rule will look like

-A fpbxinterfaces -m geoip ! --src-cc IT,US -p udp --dport 5060 -j DROP

to control and/or block requests coming from outside Italy and United States directed to your SIP TCP PORTS 5060 and 443, the rule will look like

-A fpbxinterfaces -m geoip ! --src-cc IT,US -p tcp -m multiport --dport 5060,443 -j DROP

You can search here for ports used on FreePBX/PBXact to make your choice on which ports to protect: Ports used on your PBX