Today we’re pleased to introduce a new state-of-the-art Travelin’ Man 3 firewall implementation for 2017. Five years ago, we developed a new security model for Asterisk® servers that whitelisted those needing access while blocking everyone else. The design was simple. You can’t attack what you can’t see. Three years ago, we made Travelin’ Man 3 more flexible for remote users with the addition of PortKnocker, a terrific tool providing temporary remote server access using a random three-number code. Today’s release further streamlines the firewall management process. Trusted users can permanently whitelist new IP addresses from anywhere using any PC or smartphone.
Travelin’ Man 3 Overview
If you’re new to Travelin’ Man 3 and the Linux IPtables firewall, here’s a quick overview. IPtables is a software-based firewall that is integrated into the Linux kernel. It consists of rules that define which IP packets hitting your server are allowed through the gate. The whitelist methodology behind Travelin’ Man 3 works like this. We predefine a list of trusted VoIP providers that get SIP and IAX access to your server so that you can easily set up trunks for incoming and outgoing calls. Then, as part of the Incredible PBX installation procedure, we whitelist all non-routable IP addresses as well as the public IP addresses of your server and the PC from which you installed Incredible PBX. Nobody else can even see your server on the Internet.
New Travelin’ Man 3 Design
With today’s new Travelin’ Man 3 design, you can whitelist additional IP addresses in several ways. First, as the administrator, you can log into your server as root and whitelist any IP address using the add-ip script in the /root folder. If a fully-qualified domain name (FQDN) is associated with the IP address to be whitelisted, the administrator can use the add-fqdn script to add the FQDN. If the FQDN points to a dynamic IP address that is refreshed using a dynamic IP update service, then Travelin’ Man 3 will refresh the firewall at 10-minute intervals to assure that remote users always have access to the server. This differs from previous releases of Travelin’ Man 3 that required a manual entry in /root/ipchecker to enable automatic refreshes.
A third method for permanently adding whitelist entries to your firewall is now provided using PortKnocker which is an integral component of Incredible PBX. By providing your PortKnocker credentials (/root/knock.FAQ) to any user, that user can easily gain one-click permanent access to the server using either the NMAP utility from a remote computer or the iOS PortKnock or Android DroidKnocker apps available for smartphones. As in previous releases of Travelin’ Man 3, an administrator can remove whitelist entries using del-acct utility in the /root folder. All admin and user-generated whitelist entries are stored in /root with a file extension of .iptables. Those generated using PortKnocker are automatically assigned a filename consisting of the timestamp associated with the time at which the whitelist entry was created. IMPORTANT: To authorize PortKnocker to permanently add IP addresses to your firewall, there is an activation step. Log into your server as root and issue the following command:
As part of the new implementation of Travelin’ Man 3 for the Incredible PBX for Wazo platform (only!), we’ve also reworked the firewall design a bit. There were several serious limitations in the original IPtables implementation of TM3. First, while IPtables allowed FQDN entries in its main configuration file, if one or more of those domains was off-line when IPtables was started or restarted, the entire firewall came crashing down leaving your server unprotected. In prior implementations, we avoided catastrophe by always using our iptables-restart utility to start and restart IPtables. This utility automatically tested for firewall failures and removed FQDN entries that caused the problems. A second limitation in the original Travelin’ Man 3 design involved an administrator who inadvertently used the iptables save command to modify an existing IPtables setup. Whenever this command is executed, IPtables immediately rewrites all FQDN entries in its configuration by converting them to IP addresses thereby eliminating the ability of the firewall to account for dynamic IP address changes occurring thereafter. Perhaps the most dangerous limitation occurred where your server’s network connection was not yet active when IPtables was started. If your configuration included FQDN entries, this would always cause IPtables startup to fail since FQDNs are all tested for availability as part of the initialization process. With Incredible PBX implementations, we have designed some safeguards into the network startup process to minimize this risk, but it would still be a problem if an administrator happened to notice that a network cable was unplugged and chose to plug it in after the server had already booted. Yes, the network would come on line. No, the IPtables firewall would not if there were FQDN entries in the config causing an IPtables startup failure.
Here’s a quick summary of the new IPtables design. First, there are never FQDN entries in the main IPtables config file, /etc/iptables/rules.v4. Instead, all custom whitelist entries now are generated in /usr/local/sbin/iptables-custom. The startup and restart procedure with iptables-restart now works like this. First, IPtables is started with the rules.v4 rules. Next, Fail2Ban is restarted as a second layer of protection for your server. Finally, the custom rules including all of your whitelisted IP addresses and FQDNs are started by running iptables-custom. If individual custom rules fail, they simply fail. They won’t bring down the firewall or Fail2Ban. Custom rules in iptables-custom look like this:
/sbin/iptables -A INPUT -s yourFQDN.dyndns.org -j ACCEPT
It should be noted that, if an administrator, inadvertently restarts the firewall without using the iptables-restart script, the consequences will be that the custom whitelist rules will not be loaded and Fail2Ban may not function properly. This shouldn’t be a problem because those with whitelisted remote phones will soon be calling with complaints that their phones are off-line. 🙂
As with all servers, your Incredible PBX server is only secure as long as you have no rotten apples in the employee pool. So, yes, there may come a time when it becomes necessary to modify your 3-number PortKnocker credentials to block an employee who has been terminated. The three steps to do this would be the following. First, edit /etc/knockd.conf and change the 3 port addresses in the sequence entry. Second, restart PortKnocker on your server: /etc/init.d/knockd restart. Third, modify /root/knock.FAQ to reflect your newly assigned ports and redistribute the file to remote employees.
Ready to get started? Hop over to the latest Incredible PBX for Wazo tutorial and fire up a new server. If you have an existing XiVO or Wazo server and you’d like to implement the new Travelin’ Man 3 design, here’s a tutorial to get you started. Enjoy!
Published: Monday, February 20, 20167
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.
3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com. Better yet, download the PIAF5 ISO powered by 3CX. Free version includes support for 8 simultaneous calls with a SIP trunk.
RentPBX, a long-time partner and supporter of PIAF project, is offering generous discounts for Nerd Vittles readers. For all of your Incredible PBX hosting needs, sign up at www.RentPBX.com and use code NOGOTCHAS to get the special pricing. The code will lower the price to $14.99/month, originally $24.99/month. It’s less than 50¢/day.
Some Recent Nerd Vittles Articles of Interest…