DGG
Dynamic Good Guys Whitelist Firewall for Vicidial
License: Attribution-ShareAlike 3.0 Unported
Contents
- 1 ASSUMES STOCK VICIBOX INSTALLATION
- 1.1 Lockdown in Preparation for Install
- 1.2 Pre-Install Test = Start with a Fresh System Reboot
- 1.3 Activate Custom Firewall Hooks
- 1.4 Turn Off Ping
- 1.5 Turn off Auth port 113
- 1.6 Add Administrator Access using Custom Hooks
- 1.7 Allow Apache to add "Good Guys"
- 1.8 Close Stock Vicibox Firewall Holes
- 1.9 REBOOT and Verify Access
- 2 Installation of Dynamic Good Guys
ASSUMES STOCK VICIBOX INSTALLATION
Lockdown in Preparation for Install
Note: ALWAYS be sure that YOU can get into the server box in case you make a mistake!
Pre-Install Test = Start with a Fresh System Reboot
- Verify access on port 80: http://www.megaproxy.com/freesurf/
- Enter the web page into the megaproxy service (don't forget to use in private browsing or some such). Verify that they can also get to the login page.
- Purpose: When you start, both you and megaproxy can get in. When you finish, megaproxy will NOT be able to get to the page, but you will.
Activate Custom Firewall Hooks
nano +874 /etc/sysconfig/SuSEfirewall2
Change:
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES=""
To (move the #):
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" #FW_CUSTOMRULES=""
Turn Off Ping
nano +730 /etc/sysconfig/SuSEfirewall2
change:
FW_ALLOW_PING_FW="yes"
to (yes to no):
FW_ALLOW_PING_FW="no"
Turn off Auth port 113
nano +415 /etc/sysconfig/SuSEfirewall2
change:
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
to:
FW_SERVICES_REJECT_EXT=""
Add Administrator Access using Custom Hooks
nano +51 /etc/sysconfig/scripts/SuSEfirewall2-custom
in "fw_custom_before_port_handling()" function add this above "true":
iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT
This is how it will look when you are done:
# ports before the SuSEfirewall2 generated rules are hit. iptables -I INPUT 1 -s office.poundteam.com -p all -j ACCEPT iptables -I input_ext 2 -m recent --rcheck --name GOOD -j ACCEPT true
Notes:
- The line with "GOOD" is part of Dynamic Good Guys and IS required!
- The line with "office.poundteam.com" is optional: Replace "office.poundteam.com" with your domain or IP address for PERMANENT remote access which will not be "accidentally" removed by anyone without ssh access. Multiple lines are possible (can all be left with #1, no need to increment). Also accepts subnet mask notation such as "128.15.27.0/24".
Allow Apache to add "Good Guys"
echo "options ipt_recent ip_list_perms=0777" > /etc/modprobe.d/90-ipt_recent.conf
- this will create a new file (/etc/modprobe.d/90-ipt_recent.conf) with the line "options ipt_recent ip_list_perms=0777" in it.
- OpenSuSE: Used to make /proc/net/xt_recent/GOOD modifiable by all users instead of just root
- Ubuntu: Used to make /proc/net/ipt_recent/GOOD modifiable by all users instead of just root
Close Stock Vicibox Firewall Holes
In Yast
yast firewall
Interfaces
Be sure the External IP address is in the External Zone and the Private IP address (ie: 192.168.x.x or 10.x.x.x) is in the Internal Zone). This may require a quick trip to ifconfig to be sure you have identified eth0 and eth1 properly.
Allowed Services
- "Tab" until you have highlighted "HTTP Server" and hit "Alt-t" (which is delete)
- Yes, I really want to delete the selected entry (enter to select yes)
- "Alt-t" again for HTTPS and delete it as well.
- DO NOT remove Secure Shell Server (that's SSH!!)
Advanced Services (inside Allowed Services)
- "Alt-d" to select the Additional Allowed Ports popup
- This section should have NO entries when you're finished!
- "Tab" until you have highlighted the TCP Ports.
- Backspace to delete the ports listed.
- Add Port 81 to the TCP List IF you will want the Dynamic portion to use port 81 for remote access during self-allow IP addresses. (Below.)
- "Tab" until you have highlighted the UPD Ports (10000:20000 4569 5060:5069)
- Backspace to delete the ports listed (port 22 is not in this list, so you are not removing YOUR ability to get into the system with SSH)
- "Alt-O" (O as in Oscar, not Zero) for "Ok" to exit this panel
- "Alt-N" for "Next" to accept changes made
- "Alt-F" for "Finish" to accept changes made again
- "Alt-Q" to quit and return to Command Line mode
Custom Rules
- For adding CLIENT IP addresses and ranges ONLY those you intend to modify with ssh in the future. Leave this blank if you want to modify all allowed IPs via Dynamic Good Guys.
- Dynamic Good Guys is ONLY for single IP addresses. This custom rules method can add IP ranges with appropriate subnet mask notation (such as "182.55.12.0/24")
- Firewall Zone: External Zone
- "Alt-A" to add a new allowing rule. Each rule must be added TWICE: Once for TCP and once for UDP. Destination and source port should be left blank.
- TCP is for web access
- UDP is for Phone access
- It is also possible to limit to individual ports UDP vs TCP! (If you want to be very technical for items such as mysql links.)
Save and exit and verify
- "Alt-N" for "Next"
- "Alt-F" for "Finish" (or just "Enter")
iptables-save
Verify that added IP addresses appear TWICE in "input_ext"
ls /proc/net/xt_recent/GOOD -l
Verify that file is world read/write (rwxrwcrwx)
REBOOT and Verify Access
rcSuSEfirewall2 restart
- http://www.megaproxy.com/freesurf
- Enter the same web page into the megaproxy service. Verify that they can no longer get to the login page.
Installation of Dynamic Good Guys
- Be sure you have the root mysql password before you begin! Blank is a valid password for this application (if you have no password for root mysql, that is.)
Main Install
mkdir -p /usr/src/poundteam cd /usr/src/poundteam rm dgg_install.sh wget http://www.poundteam.com/downloads/software/dgg_install.sh /bin/bash /usr/src/poundteam/dgg_install.sh
Continues with Mysql Install
At the beginning of the second stage, you will be asked for the mysql root pass:
Enter root mysql password - blank if no password
- Enter root pass to install db
Continues with apache configuration
Next we have the apache configuration:
Enter FQDN or IP - whichever is used in URL - of this server for apache configuration:
- Enter the FQDN or IP
At this point you will be presented with two DGG links.
Copy this information! It is easy to get now, but not so simple later unless you are very familiar with Linux.
An Example of such information is below:
URL for Dynamic Good Guys Login: http://xxx.xxx.xxx.xxx:81/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php Modify regularly for security reasons. To modify: cp /srv/www/lockdown/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.php /srv/www/lockdown/NEWNAME.php Be sure to replace 'NEWNAME' with an actual random new name, of course! URL for ADMIN to modify individual IPs: http://xxx.xxx.xxx.xxx/phpmysqlezedit/goodguys.php?access=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NOTE: Port 81 must be opened in yast to allow access to the DGG page above.
Testing / Troubleshooting
- If apache does not restart, check here for two or more entries at the bottom. (There should only be one instance of each entry, no dupes!)
nano /etc/apache2/listen.conf
Using the "URL for ADMIN to modify individual IPs"
Save a sample IP in the web page.
Test to make sure it saved in console:
cat /proc/net/xt_recent/GOOD
- NOTE: After installation, DO NOT use Yast Firewall ... Yast firewall deletes good guy entries upon saving/exiting from yast. Be sure to check all entries before final submission.
- Yast firewall reset will not terminate existing "connections", but will not allow new ones.
- If you must use Yast firewall, immediately add or remote a DGG entry as well to reinitialize the DGG system.
Using the "URL for Dynamic Good Guys Login"
- From an IP not presently authorized - although I would avoid a proxy service (Do you really want to give this link to a proxy server facility?)
- Surf to this link and you should be presented with a generic (vicidial) login screen
- With an authorized user/pass in the system you should then be redirected to the agent re-login screen.
- IF the user has a "phone" and "phone password" in their User entry, these will be pre-filled and the agent can then choose a campaign and log in.
- Verify that their IP address and user now show up in the "URL for ADMIN to modify individual IPs" with "temporary=Y".
- Temporary IPs are forgotten at reboot.