Securing FreePBX/PBXact with GeoIP module
Introduction
Security at PBX level has always been a big thing to deal with, but with some opensource tools you can try to make it easier and simple to manage.
Tested with:
PBX Version:15.0.17.37
PBX Distro:12.7.8-2107-3.sng7
Asterisk Version:18.3.0
Components
What we are using here are:
iptables xtables-addon
Warning - Unsupported Code here!
While xtables-addon is a "standard" linux package, it was not intended as part of the FreePBX/PBXact project. You should be aware that installing not tested software can create issues and/or break normal software behaviour. Use at your own risk!
How To
we need to install some opensource components and to put some lines of configuration in Firewall Custom Rules module.
xtables-addon
Install dependencies
yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget |
Download, extract and install xtables-addons
cd /tmp/
wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.14.tar.xz
tar -xvf xtables-addons-2.14.tar.xz
ln -s /usr/src/kernels/`uname -r`/ /lib/modules/`uname -r`/build
./configure
sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild
make && make install
modprobe xt_geoip |
Dealing with GeoIP
mkdir /usr/share/xt_geoip/
wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip |
Automatically update GeoIP database
Just put in the cron file this line and tune according with your needs: DB It's rebuilt every Sunday at 04:00 CST
Firewall Custom Rules
Now that we have the module installed and ready to go, we need to setup our Custom Rules on PBXact's Firewall
Go to Modules→Firewall
Choose Advanced in the pop-up menu on the right
Navigate to the tab named "Advanced Settings" and under the section "Custom Firewall Rules" set the toggle button to "Enabled"
Time to put in your rules!
Move to the tab called "Advanced Custom Rules"
PBXact firewall has many different sections where you can act and put your new defined custom rules. In my case, I'm appending my rules to the list present in the Module → Firewall / Networks tab.
With these 2 rules, I can block all traffic coming from outside Italy and United States or IT,US countries
your webpage will look like
"Save and Apply" and you are done.
Hints
If you wish to use GeoIP
to control and/or block requests coming from outside Italy and United States directed to your SIP UDP PORT 5060, the rule will look like
to control and/or block requests coming from outside Italy and United States directed to your SIP TCP PORTS 5060 and 443, the rule will look like
You can search here for ports used on FreePBX/PBXact to make your choice on which ports to protect: Ports used on your PBX