CSF with FreePBX on any Debian or RH based OS

With the caveat that many monolithic kernels (read cloud servers) only support a limited subset of iptables abilities.

Step-by-step guide

1. Installing CSF

   Change the variables to suit, CSFUIALLOW is a space delimited list of hosts and networks that can access the CSF GUI
   CSFTRUSTED a list of hosts and network that should always be trusted, CSFPORTKNOCK is a comma delimited of services that can be individually opened on demand. CSFUIALLOW is a space delimited list of hosts and networks that can access the CSF GUI

   #!/bin/bash CSFINSTALLED=$(which csf 2>/dev/null) MYNETIP=$(wget -qO- http://ipecho.net/plain) APTGET=$(which apt-get 2>/dev/null) CSFUIPORT=$(($RANDOM + 20000 )) CSFUSER=yourhandle CSFPASSWORD=somethingyouwillremember CSFTRUSTED="167.34.3.33  192.168.0.0/24" CSFUIALLOW="192.168.0.23 167.128.6.128/29" CSFPORTKNOCK="22;TCP;20;100;200;300;400,5060;UDP;5060;500;600;700;800" # Get some needed stuff if [ ! -z $APTGET ] ; then     apt-get -y install libwww-perl liblwp-protocol-https-perl perl-CPAN ipset mutt else     yum  -y install perl-libwww-perl perl-IO-Socket-SSL  perl-Crypt-SSLeay perl-CPAN ipset mutt     cpan Net::Whois:IANA fi # if you don't like it then no harm no foul if [ "$1" == "uninstall" ]  ;then csf -x;/etc/csf/uninstall.sh;echo CSF uninstalled;exit;fi if [ -z $CSFINSTALLED ] ; then  CSFUIPORT=$(($RANDOM + 25000 ))     cd /usr/src     rm -rf csf*     wget https://download.configserver.com/csf.tgz     tar -xzsvf csf.tgz     cd csf     ./install.generic.sh     rm -rf csf* # make sure fail2ban is still working  echo "service fail2ban stop" > /etc/csf/csfpre.sh echo "service fail2ban start" > /etc/csf/csfpost.sh # if you want fail2ban to preempt CSF then reverse that logic # set up some "cookie-cutter" settings specific to my interpretation of what a firewall should do         cat << EOF > /usr/local/csf/profiles/freepbx.conf # A set of IP rules for a FreePBX deployment includes # Java ports 51000 58080 for iSymphony no SSH or Asterisk manager, the belong else where TESTING = "0" RESTRICT_SYSLOG = "3" TCP_IN = "29,21,53,80,443,5038,5060,5061,8088,51000,58080" TCP_OUT = "20,21,25,53,80,443" UDP_IN = "20,21,43,53,69,123,4569,5060,5061,5353" UDP_OUT = "20,21,43,53,113,123,5060,5061,5353,33434:33523" PORTKNOCKING = "${CSFPORTKNOCK}" PORTKNOCKING_ALERT = "1" UI = "1" UI_PORT = "$CSFUIPORT" UI_USER = "$CSFUSER" UI_PASS = "$CSFPASSWORD" EOF # get a sane process ignore list         cat << EOF > /etc/csf/csf.pignore ############################################################################### # Copyright 2006-2015, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following is a list of executables (exe) command lines (cmd) and # usernames (user) that lfd process tracking will ignore. # # You must use the following format: # # exe:/full/path/to/file # user:username # cmd:command line # # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex[*] # puser:username as a perl regex[*] # pcmd:command line as a perl regex[*] # # [*]You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* # # It is strongly recommended that you use command line ignores very carefully # as any process can change what is reported to the OS. # # For more information see readme.txt exe:/usr/libexec/mysqld exe:/usr/libexec/postfix/local exe:/usr/sbin/asterisk exe:/usr/sbin/avahi-daemon exe:/usr/sbin/dnsmasq exe:/usr/sbin/httpd exe:/usr/sbin/ntpd exe:/usr/sbin/sshd exe:/usr/libexec/postfix/pickup exe:/usr/bin/node exe:/usr/libexec/hald-addon-acpi exe:/bin/dbus-daemon exe:lua /usr/lib64/prosody/../../bin/prosody exe:/usr/libexec/postfix/cleanup cmd:cleanup -z -t unix -u exe:/usr/libexec/postfix/smtp cmd:smtp -t unix -u exe:/usr/libexec/postfix/bounce cmd:bounce -z -n defer -t unix -u exe:/usr/libexec/postfix/error cmd:error -n retry -t unix -u cmd:/bin/bash /opt/isymphony3/server//startup.sh exe:/usr/libexec/postfix/qmgr EOF       # and apply them csf --profile apply freepbx # permit some folks access to the CSF UI  and allow trusted networks     for i in $CSFUIALLOW;do echo $i >> /etc/csf/ui/ui.allow;done     for i in $CSFTRUSTED;do echo $i >> /etc/csf/csf.allow;done     csf -r else CSFUIPORT=$(grep UI_PORT /etc/csf/csf.conf|  sed 's/[^0-9]*//g')   fi sleep 5 netstat -ant|grep $CSFUIPORT echo "Go to https://$MYNETIP:$CSFUIPORT and login with  $CSFUSER/$CSFPASSWORD to manage your CSF firewall"

   • Some notes and comments

     There is a lot that CSF can do one of the more powerful things for the newbie is the concept of profiles

     Profiles

     csf --profile list csf --profile apply (profile name) csf --profile diff (1) (2)    and if of course you screw up:-    csf --profile apply reset_to_defaults

     They overide extant variables  in /etc/csf/csf.conf and need a CSF restart to apply. 

   • email notifications are sent by default to root make sure you are reading them there or have a working sendmail that is forwarding them to a sentient being. CSF is quite noisy so that's why I installed mutt before I change the root alias

   • You should have ipset available now, so "huge" lists can be loaded pretty well instantly to any part of iptables.
     
     

2. A collection of "Profiles" that are applicable to various flavors of FreePBX

   1. Perhaps belong here call them cookie recipes 

   2. One For FreePBX distro with all its addons like iSymphony and avahi 

   3. One for a very restrictive Firewall for a mature system with csf.allow csf.deny and any ipsets you want to use.

   4. One for home users who don't care for RTFM 

   5. etc.

3. Suggested additions for csf.pignoreThis will be OS dependent. httpd /apache2 

Related articles