CSF with FreePBX on any Debian or RH based OS
With the caveat that many monolithic kernels (read cloud servers) only support a limited subset of iptables abilities.
Step-by-step guide
Installing CSF
Change the variables to suit, CSFUIALLOW is a space delimited list of hosts and networks that can access the CSF GUI
CSFTRUSTED a list of hosts and network that should always be trusted, CSFPORTKNOCK is a comma delimited of services that can be individually opened on demand. CSFUIALLOW is a space delimited list of hosts and networks that can access the CSF GUI#!/bin/bash CSFINSTALLED=$(which csf 2>/dev/null) MYNETIP=$(wget -qO- http://ipecho.net/plain) APTGET=$(which apt-get 2>/dev/null) CSFUIPORT=$(($RANDOM + 20000 )) CSFUSER=yourhandle CSFPASSWORD=somethingyouwillremember CSFTRUSTED="167.34.3.33 192.168.0.0/24" CSFUIALLOW="192.168.0.23 167.128.6.128/29" CSFPORTKNOCK="22;TCP;20;100;200;300;400,5060;UDP;5060;500;600;700;800" # Get some needed stuff if [ ! -z $APTGET ] ; then apt-get -y install libwww-perl liblwp-protocol-https-perl perl-CPAN ipset mutt else yum -y install perl-libwww-perl perl-IO-Socket-SSL perl-Crypt-SSLeay perl-CPAN ipset mutt cpan Net::Whois:IANA fi # if you don't like it then no harm no foul if [ "$1" == "uninstall" ] ;then csf -x;/etc/csf/uninstall.sh;echo CSF uninstalled;exit;fi if [ -z $CSFINSTALLED ] ; then CSFUIPORT=$(($RANDOM + 25000 )) cd /usr/src rm -rf csf* wget https://download.configserver.com/csf.tgz tar -xzsvf csf.tgz cd csf ./install.generic.sh rm -rf csf* # make sure fail2ban is still working echo "service fail2ban stop" > /etc/csf/csfpre.sh echo "service fail2ban start" > /etc/csf/csfpost.sh # if you want fail2ban to preempt CSF then reverse that logic # set up some "cookie-cutter" settings specific to my interpretation of what a firewall should do cat << EOF > /usr/local/csf/profiles/freepbx.conf # A set of IP rules for a FreePBX deployment includes # Java ports 51000 58080 for iSymphony no SSH or Asterisk manager, the belong else where TESTING = "0" RESTRICT_SYSLOG = "3" TCP_IN = "29,21,53,80,443,5038,5060,5061,8088,51000,58080" TCP_OUT = "20,21,25,53,80,443" UDP_IN = "20,21,43,53,69,123,4569,5060,5061,5353" UDP_OUT = "20,21,43,53,113,123,5060,5061,5353,33434:33523" PORTKNOCKING = "${CSFPORTKNOCK}" PORTKNOCKING_ALERT = "1" UI = "1" UI_PORT = "$CSFUIPORT" UI_USER = "$CSFUSER" UI_PASS = "$CSFPASSWORD" EOF # get a sane process ignore list cat << EOF > /etc/csf/csf.pignore ############################################################################### # Copyright 2006-2015, Way to the Web Limited # URL: http://www.configserver.com # Email: sales@waytotheweb.com ############################################################################### # The following is a list of executables (exe) command lines (cmd) and # usernames (user) that lfd process tracking will ignore. # # You must use the following format: # # exe:/full/path/to/file # user:username # cmd:command line # # Or, perl regular expression matching (regex): # # pexe:/full/path/to/file as a perl regex[*] # puser:username as a perl regex[*] # pcmd:command line as a perl regex[*] # # [*]You must remember to escape characters correctly when using regex's, e.g.: # pexe:/home/.*/public_html/cgi-bin/script\.cgi # puser:bob\d.* # pcmd:/home/.*/command\s\to\smatch\s\.pl\s.* # # It is strongly recommended that you use command line ignores very carefully # as any process can change what is reported to the OS. # # For more information see readme.txt exe:/usr/libexec/mysqld exe:/usr/libexec/postfix/local exe:/usr/sbin/asterisk exe:/usr/sbin/avahi-daemon exe:/usr/sbin/dnsmasq exe:/usr/sbin/httpd exe:/usr/sbin/ntpd exe:/usr/sbin/sshd exe:/usr/libexec/postfix/pickup exe:/usr/bin/node exe:/usr/libexec/hald-addon-acpi exe:/bin/dbus-daemon exe:lua /usr/lib64/prosody/../../bin/prosody exe:/usr/libexec/postfix/cleanup cmd:cleanup -z -t unix -u exe:/usr/libexec/postfix/smtp cmd:smtp -t unix -u exe:/usr/libexec/postfix/bounce cmd:bounce -z -n defer -t unix -u exe:/usr/libexec/postfix/error cmd:error -n retry -t unix -u cmd:/bin/bash /opt/isymphony3/server//startup.sh exe:/usr/libexec/postfix/qmgr EOF # and apply them csf --profile apply freepbx # permit some folks access to the CSF UI and allow trusted networks for i in $CSFUIALLOW;do echo $i >> /etc/csf/ui/ui.allow;done for i in $CSFTRUSTED;do echo $i >> /etc/csf/csf.allow;done csf -r else CSFUIPORT=$(grep UI_PORT /etc/csf/csf.conf| sed 's/[^0-9]*//g') fi sleep 5 netstat -ant|grep $CSFUIPORT echo "Go to https://$MYNETIP:$CSFUIPORT and login with $CSFUSER/$CSFPASSWORD to manage your CSF firewall"
Some notes and comments
There is a lot that CSF can do one of the more powerful things for the newbie is the concept of profiles
Profiles
csf --profile list csf --profile apply (profile name) csf --profile diff (1) (2) and if of course you screw up:- csf --profile apply reset_to_defaults
They overide extant variables in /etc/csf/csf.conf and need a CSF restart to apply.
email notifications are sent by default to root make sure you are reading them there or have a working sendmail that is forwarding them to a sentient being. CSF is quite noisy so that's why I installed mutt before I change the root alias
You should have ipset available now, so "huge" lists can be loaded pretty well instantly to any part of iptables.
A collection of "Profiles" that are applicable to various flavors of FreePBX
Perhaps belong here call them cookie recipes
One For FreePBX distro with all its addons like iSymphony and avahi
One for a very restrictive Firewall for a mature system with csf.allow csf.deny and any ipsets you want to use.
One for home users who don't care for RTFM
etc.
Suggested additions for csf.pignoreThis will be OS dependent. httpd /apache2
That's all folks!
Related articles
Error rendering macro 'contentbylabel'
parameters should not be empty