Important Please be very careful when you modify the firewall rules. Ask to your company system/network specialist for assistance.
The iptables service
XCALLY Motion uses the Centos embedded firewall iptables to improve the system security.
If you prefer to use your external firewall, you are free to disable iptables using the following commands:
systemctl stop iptables
systemctl disable iptables
if you decide to use the iptables firewall, here is a basic configuration of the /etc/sysconfig/iptables file*
*please note the statement order is very important
In order to apply the new rules, you need to restart the iptables service:
systemctl restart iptables
If the rules are properly written into the iptables file, you’ll see the applied rules by running the following command:
[root@XCALLY-PBX ~]# iptables -nvL
Important If you also use fail2ban, please remember to restart the fail2ban service after the iptables service restart
The iptables rules
DEFAULT SECTION This section includes some default rules and you don't need to make any changes
#DEFAULT *nat :PREROUTING ACCEPT [100045:5485433] :POSTROUTING ACCEPT [65694:4246540] :OUTPUT ACCEPT [65694:4246540] COMMIT # *mangle :PREROUTING ACCEPT [2574805:1023590040] :INPUT ACCEPT [2574801:1023589538] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2563845:954585648] :POSTROUTING ACCEPT [2563845:954585648] COMMIT # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :ASTERISK - [0:0] :LOGDROP - [0:0] #PORTSCAN RULES -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
REMOTE SIP CONNECTIONS The following rules enable sip traffic from anywhere. They are useful when you switch on the XCALLY system for the first time in order to quickly check if everything works (Agent Phonebars, Voip Provider Trunk, etc).
Be aware your system could be exposed to security attacks: we strongly recommend you to use the previous section to add the static public ip you want to enable (e.g. your voip provider ip, etc) and disable (comment) the section below.
-A INPUT -p udp -m udp --dport 5060 -j ASTERISK -A INPUT -p tcp -m tcp --dport 5060 -j ASTERISK -A INPUT -p udp -m udp --dport 5061 -j ASTERISK -A INPUT -p tcp -m tcp --dport 5061 -j ASTERISK
ESTABLISHED and RELATED This section includes some default rules and you don't need to make any changes
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT
LAN ACCESS Allow incoming connections FROM PRIVATE NETWORK (If you need, allow incoming connections from your very trusted internal network)
#-A INPUT -s 10.0.0.0/8 -j ACCEPT #-A INPUT -s 172.16.0.0/12 -j ACCEPT #-A INPUT -s 192.168.0.0/16 -j ACCEPT
XCALLY TEAM ACCESS Allow incoming connections FROM XCALLY TEAM (Enable this rules if you need XCALLY TEAM support)
#-A INPUT -s 151.0.175.184/29 -j ACCEPT #-A INPUT -s 89.96.28.59/32 -j ACCEPT
CUSTOM PUBLIC IP Add in this section the public IPs you want to allow (e.g. your company's IP or voip provider) Just replace the X with the ip adress and remove the # to uncomment the rule
# -A INPUT -s XXX.XXX.XXX.XXX/XX -j ACCEPT
ICMP Echo Request The following section allows the echo request (ping). The rule is used by the Motionbar to 'ping' the Motion server. You don't need to make any changes
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
SSH Allow incoming SSH connections and drop more than 3 attempts in 1 minute
-A INPUT -p tcp -m tcp --dport 22 -m recent --set --name SSH -A INPUT -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOGDROP -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
HTTPS SERVICE Allow incoming connections on TCP/443
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
HTTP SERVICE Allow incoming connections on TCP/80 - HTTP SERVICE (Enable this rule to allow incoming HTTP request)
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Asterisk WSS TLS WebRTC - DISABLE IF YOU HAVE RULE BASED ON PROVIDER/CUSTOMER CUSTOM PUBLIC IP
-A INPUT -p tcp -m tcp --dport 8089 -j ACCEPT
RTP Media Stream RTP Media Stream (DISABLE IF YOU HAVE RULE BASED ON PROVIDER/CUSTOMER CUSTOM PUBLIC IP)
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
DEFAULT DROP RULE You don't need to make any changes to this rule
# -A INPUT -j DROP #
BASIC ASTERISK PROTECTION The following rules are involved only if you have enabled the "REMOTE SIP CONNECTIONS" rules. These rules provide a basic protection against some SIP attacks. Please be aware your server is not covered from any kind of security attacks
-A ASTERISK -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --set --name AST --rsource -A ASTERISK -m string --string "REGISTER sip:" --algo bm --to 65535 -m recent --update --seconds 60 --hitcount 12 --rttl --name AST --rsource -j LOGDROP -A ASTERISK -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --set --name ASTINV --rsource -A ASTERISK -m string --string "INVITE sip:" --algo bm --to 65535 -m recent --update --seconds 30 --hitcount 120 --rttl --name ASTINV --rsource -j LOGDROP -A ASTERISK -m hashlimit --hashlimit-upto 24/sec --hashlimit-mode srcip,dstport --hashlimit-name tunnel_limit -j ACCEPT -A ASTERISK -j LOGDROP
DEFAULT You don't need to make any changes to these rules
-A LOGDROP -m limit --limit 1/sec -j LOG --log-prefix "Dropped Packet: " --log-level 7 -A LOGDROP -j DROP COMMIT
Fail2Ban
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks by analyzing Asterisk and SSH log file.
Fail2Ban is included with the Motion secure installation.
Fail2Ban service
If you need to disable Fail2Ban, please execute the following commands:
systemctl stop fail2ban
systemctl disable fail2ban
The following command will restart the service:
systemctl restart fail2ban
Important If you also use fail2ban, please remember to restart the fail2ban service after the iptables service restart
Fail2Ban configuration
the configuration file is /etc/fail2ban/jail.conf
the Asterisk access log file is /var/log/asterisk/security
the ssh access log file is /var/log/secure
Whitelist
Fail2ban will not ban a host which matches an address in this list:
ignoreip = 127.0.0.1/8 151.0.175.184/29 89.96.28.59
Show the jail list
fail2ban-client status
Remove an host from a jail list
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
Check the banned IP addresses
iptables -nvL
Fail2Ban Official documentation https://www.fail2ban.org