Securing FreePBX/PBXact with GeoIP module

 

 

Introduction

Security at PBX level has always been a big thing to deal with, but with some opensource tools you can try to make it easier and simple to manage.

 

Tested with:

PBX Version:15.0.17.37
PBX Distro:12.7.8-2107-3.sng7
Asterisk Version:18.3.0

 

Components

What we are using here are:

 

 

Warning - Unsupported Code here!

While xtables-addon is a "standard" linux package, it was not intended as part of the FreePBX/PBXact project. You should be aware that installing not tested software can create issues and/or break normal software behaviour. Use at your own risk!

 

How To

we need to install some opensource components and to put some lines of configuration in Firewall Custom Rules module.

xtables-addon

Install dependencies

 

yum install gcc gcc-c++ iptables-devel kernel-devel kernel-devel-`uname -r` wget

Download, extract and install xtables-addons

 

cd /tmp/ wget -c https://sourceforge.net/projects/xtables-addons/files/Xtables-addons/xtables-addons-2.14.tar.xz tar -xvf xtables-addons-2.14.tar.xz   ln -s /usr/src/kernels/`uname -r`/ /lib/modules/`uname -r`/build   ./configure sed -i '/xt_TARPIT.o$/s/^/#/' extensions/Kbuild make && make install     modprobe xt_geoip

Dealing with GeoIP

 

mkdir /usr/share/xt_geoip/     wget -q https://legacy-geoip-csv.ufficyo.com/Legacy-MaxMind-GeoIP-database.tar.gz -O - | tar -xvzf - -C /usr/share/xt_geoip

 

Automatically update GeoIP database

Just put in the cron file this line and tune according with your needs: DB It's rebuilt every Sunday at 04:00 CST

Firewall Custom Rules

Now that we have the module installed and ready to go, we need to setup our Custom Rules on PBXact's Firewall

 

Go to Modules→Firewall

 

Choose Advanced in the pop-up menu on the right

 

Navigate to the tab named "Advanced Settings" and under the section "Custom Firewall Rules" set the toggle button to "Enabled"

 

Time to put in your rules!

Move to the tab called "Advanced Custom Rules"

PBXact firewall has many different sections where you can act and put your new defined custom rules. In my case, I'm appending my rules to the list present in the Module → Firewall / Networks tab.

 

With these 2 rules, I can block all traffic coming from outside Italy and United States or IT,US countries

 

your webpage will look like

 

"Save and Apply" and you are done.

 

Hints

If you wish to use GeoIP

  • to control and/or block requests coming from outside Italy and United States directed to your SIP UDP PORT 5060, the rule will look like

  • to control and/or block requests coming from outside Italy and United States directed to your SIP TCP PORTS 5060 and 443, the rule will look like

 

You can search here for ports used on FreePBX/PBXact to make your choice on which ports to protect: Ports used on your PBX

Return to Documentation Home I Return to Sangoma Support