DGG
Dynamic Good Guys -- Whitelist Firewall for Vicidial
License: Attribution-ShareAlike 3.0 Unported
Contents
- 1 Lockdown in Preparation for Install
- 1.1 ASSUMES STOCK VICIBOX INSTALLATION
- 1.2 Pre-Install Test = Start with a Fresh System Reboot
- 1.3 Activate Custom Firewall Hooks
- 1.4 Turn Off Ping
- 1.5 Close port 113
- 1.6 Turn off ICMP Sourcequench
- 1.7 Add Administrator Access using Custom Hooks
- 1.8 Allow Apache to add "Good Guys"
- 1.9 Close Stock Vicibox Firewall Holes
- 1.10 REBOOT and Verify Access
- 2 Installation of Dynamic Good Guys
- 3 Authorize IP Ranges
Lockdown in Preparation for Install
ASSUMES STOCK VICIBOX INSTALLATION
Note: ALWAYS be sure that YOU can get into the server box in case you make a mistake!
Pre-Install Test = Start with a Fresh System Reboot
- Verify access on port 80: http://www.megaproxy.com/freesurf/ (or any web-proxy service, or using wget from the CLI of another linux server)
- Enter the web page into the proxy service (don't forget to use in private browsing or some such to avoid cache). Verify that they can also get to the login page.
- Purpose: When you start, both you and any proxy can get in. When you finish, the proxy will NOT be able to get to the page, but you will as an "authorized IP".
Activate Custom Firewall Hooks
- No longer required in Vicibox 7.0 (they did it for you).
nano +874 /etc/sysconfig/SuSEfirewall2
Change:
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES=""
To (move the #):
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" #FW_CUSTOMRULES=""
Turn Off Ping
nano +730 /etc/sysconfig/SuSEfirewall2
change:
FW_ALLOW_PING_FW="yes"
to (yes to no):
FW_ALLOW_PING_FW="no"
Close port 113
nano +415 /etc/sysconfig/SuSEfirewall2
change:
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
to:
FW_SERVICES_REJECT_EXT=""
Turn off ICMP Sourcequench
nano +775 /etc/sysconfig/SuSEfirewall2
Change:
FW_ALLOW_FW_SOURCEQUENCH="no"
Add Administrator Access using Custom Hooks
nano +51 /etc/sysconfig/scripts/SuSEfirewall2-custom
in "fw_custom_before_port_handling()" function add this above "true":
iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
This is how it will look when you are done:
# ports before the SuSEfirewall2 generated rules are hit. iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT true
Notes:
- The line with "GOOD" is part of Dynamic Good Guys and IS required!
- The line with "office.poundteam.com" is optional: Replace "office.poundteam.com" with your domain or IP address for PERMANENT remote access which will not be "accidentally" removed by anyone without ssh access. Multiple lines are possible (can all be left with #1, no need to increment). Also accepts subnet mask notation such as "128.15.27.0/24".
Allow Apache to add "Good Guys"
echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
- this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
- OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
- Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root
Close Stock Vicibox Firewall Holes
In Yast
yast firewall
Interfaces
Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.
Allowed Services
- "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
- Yes, I really want to delete the selected entry (enter to select yes)
- "Alt-t" again for HTTPS and delete it as well.
- DO NOT remove Secure Shell Server (that's SSH!!)
Advanced Services (inside Allowed Services)
- "Alt-d" to select the Additional Allowed Ports popup
- This section should have NO entries when you're finished!
- "Tab" until you have highlighted the TCP Ports.
- Backspace to delete the ports listed.
- Add Port 81 to the TCP List IF you will want the Dynamic portion to use port 81 for remote access during self-allow IP addresses. (Below.)
- "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
- Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
- "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
- "Alt-N" for "Next" to accept changes made
- "Alt-F" for "Finish" to accept changes made again
- "Alt-Q" to quit and return to Command Line mode
Custom Rules (Back in yast firewall)
- For adding CLIENT IP addresses and ranges ONLY those you intend to modify with ssh in the future. Leave this blank if you want to modify all allowed IPs via Dynamic Good Guys.
- Dynamic Good Guys is ONLY for single IP addresses. This custom rules method can add IP ranges with appropriate subnet mask notation (such as "182.55.12.0/24")
- Firewall Zone: External Zone
- "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.
- TCP is for web access
- UDP is for Phone access
- It is also possible to limit to individual ports UDP vs TCP! (If you want to be very technical for items such as mysql links.)
Save and exit and verify
- "Alt-N" for "Next"
- "Alt-F" for "Finish" (or just "Enter")
iptables-save
Verify that added IP addresses in "Custom" pane of yast firewall appear TWICE in "input_ext" (once for TCP and once for UDP)
ls /proc/net/xt_recent/GOOD -l
Verify that file is world read/write (rwxrwcrwx)
REBOOT and Verify Access
rcSuSEfirewall2 restart
- http://www.megaproxy.com/freesurf
- Enter the same web page into the megaproxy service. Verify that they can no longer get to the login page.
Installation of Dynamic Good Guys
*Upgraded for Vicibox 7.0*
We upgraded DGG to be compatible with Vicibox 7.0 apache requirements.
*Upgraded for Encrypted Passwords*
DGG will now work with Vicidial's encrypted password method.
Back to install
- Note: If all you wanted was a solid lockdown ... stop here. Dynamic Good Guys is only useful for easy addition of new IPs without requiring admin or user to access the CLI. If you're ok with accessing the CLI (and using yast firewall custom entries or modifying the above custom hooks file via nano or vi), you're done here.
- Be sure you have the root mysql password before you begin! Blank is a valid password for this application (if you have no password for root mysql, that is.)
Main Install
mkdir -p /usr/src/poundteam cd /usr/src/poundteam rm dgg_install.sh wget http://www.poundteam.com/downloads/software/dgg_install.sh /bin/bash /usr/src/poundteam/dgg_install.sh
Continues with Mysql Install
At the beginning of the second stage, you will be asked for the mysql root pass:
Enter root mysql password - blank if no password
- Enter root pass to install db
Continues with apache configuration
Next we have the apache configuration:
Enter FQDN or IP - whichever is used in URL - of this server for apache configuration:
- Enter the FQDN or IP
At this point you will be presented with two DGG links.
Copy this information! It is easy to get now, but not so simple later unless you are very familiar with Linux.
An Example of such information is below:
URL for Dynamic Good Guys Login: http://xxx.xxx.xxx.xxx:81/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php Modify regularly for security reasons. To modify: cp /srv/www/lockdown/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php /srv/www/lockdown/NEWNAME.php Be sure to replace 'NEWNAME' with an actual random new name, of course! URL for ADMIN to modify individual IPs: http://xxx.xxx.xxx.xxx/phpmysqlezedit/goodguys.php?access=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NOTE: Port 81 must be opened in yast to allow access to the DGG page above.
Example Authorized IPs listing
Example Add IP form
Testing / Troubleshooting
- If apache does not restart, check here for two or more entries at the bottom. (There should only be one instance of each entry, no dupes!)
nano /etc/apache2/listen.conf
Using the "URL for ADMIN to modify individual IPs"
Save a sample IP in the web page.
Test to make sure it saved in console:
cat /proc/net/xt_recent/GOOD
- NOTE: After installation, DO NOT use Yast Firewall ... Yast firewall deletes good guy entries upon saving/exiting from yast. Be sure to check all entries before final submission.
- Yast firewall reset will not terminate existing "connections", but will not allow new ones.
- If you must use Yast firewall, immediately add or remote a DGG entry as well to reinitialize the DGG system.
Using the "URL for Dynamic Good Guys Login"
- From an IP not presently authorized - although I would avoid a proxy service (Do you really want to give this link to a proxy server facility?)
- Surf to this link and you should be presented with a generic (vicidial) login screen
- With an authorized user/pass in the system you should then be redirected to the agent re-login screen.
- IF the user has a "phone" and "phone password" in their User entry, these will be pre-filled and the agent can then choose a campaign and log in.
- Verify that their IP address and user now show up in the "URL for ADMIN to modify individual IPs" with "temporary=Y".
- Temporary IPs are forgotten at reboot.
Extra Troubleshooting
Authorize IP Ranges
The DGG system will (at present) only authorize individual IP addresses. To add an IP Range instead ...
- Check existing configuration for later comparison: "iptables-save" will spill your present firewall settings to the console.
- "cat /proc/net/xt_recent/GOOD" will spill your present Good Guys list to the console.
- yast firewall
- Left Pane: Custom Rules
- "Alt-A" to "[Add]"
- Source Network: (this is where you put the IP range, such as "71.122.99.0/24" using CIDR notation)
- Protocol: UDP (for SIP access ... TCP for Web/Database/SSH ... TWO Entries if you require both)
- Destination/Source/Additional can all be left blank for the simplest method. It is possible to use these to strictly limit access, of course).
- "Alt-A" again to finish.
- Repeat as necessary until your list is complete. When your list is complete ..
- At this stage, it is best to bring up your "Dynamic Good Guys IP editor". Have it ready to hit "submit" on an entry (no need to change the entry).
- "Alt-N" for [Next]
- "Alt-F" for [Finish]
- Immediately "Submit" on the DGG IP editor page to re-register those Good IPs (they will be erased when you "Finish" on the line above).
- To validate: "iptables-save" will spill your new settings.
- "cat /proc/net/xt_recent/GOOD" will spill your new Good Guys list to the console.