Page 2 of 3

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 1:55 pm
by williamconley
alexgrad wrote:As the port for the dynamic portal has to be always opened what's the difference to open it on 80/443 or other ports?

Intelligent question!

Answer: Ports 80 & 443 are standard web portals. Script kiddies constantly monitor these ports and collect lists of "available" and share them among groups. You'll notice more and more attempts on more and more known web pages. At first "robots.txt" and the like, but ultimately you'll see attempts to phpMyAdmin "known security risk" pages and ultimately Every Risk (Prior and current) under the sun. And if those attempts meet with Failure or 404 instead of "no response", then you open yourself to being added to yet more attempts. Especially if they find a known login page (sugarCRM? phpMyAdmin?) and fail to log in. Cuz now it's a job for ... Brute Force Scripts! and you end up with a DOS situation due to the brute force attack. Unless they guess a password or find an exploit. Then it's a whole new ballgame.

But on a non-standard port the volume of attack is miniscule at best. There are so many servers out there on the known ports that the non-standards are still being ignored. Plus the Dynamic Good Guys approach didn't expose ANY of the Vicidial or other software: Just a single web page with a special name. Anything else would result in 404. So the only way into the system was to have that link or exploit the 404 page. To date I've not heard of an exploit of the standard 404 page.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 2:13 pm
by dspaan
Then again, i saw on Matt's Twitter feed that last year 11.000 new vicidial installs were done (how are those tracked?), and we can assume that a bunch of them are managed by criminals like those fake microsoft scammers from India. They understand vicidial to some extent. It would be good to have some kind of alert system in case someone tries to log into the dynamic portal and keeps failing and also an increasing inverval lockout system.

PS: Does anyone know when Kumba will be back? He hasn't visited the forum since 13 november. I've sent him a PM last week but no response.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 2:19 pm
by williamconley
dspaan wrote:Then again, i saw on Matt's Twitter feed that last year 11.000 new vicidial installs were done (how are those tracked?), and we can assume that a bunch of them are managed by criminals like those fake microsoft scammers from India. They understand vicidial to some extent. It would be good to have some kind of alert system in case someone tries to log into the dynamic portal and keeps failing and also an increasing inverval lockout system.

PS: Does anyone know when Kumba will be back? He hasn't visited the forum since 13 november. I've sent him a PM last week but no response.

1) We have several systems that lock IPs immediately upon fail. Vicidial has methods recently to lock out after failure attempts, but that just adds a delay and then they will (eventually) rotate IPs. Thus the "You must have this link to attempt login" page. If they actually find the page, change the URL to a new 36-char random value and they won't be finding it again unless they have an "inside" in your office. If they have that, you have bigger fish to fry than the login page, though. lol

2) Kumba (and others) log on during slow times at the job. If he's busy this season, he'll be back when he's NOT busy any more. Just like anyone else, a short vacation from the real job can result in a month or two offline here while catching up. The solution to that is to wait it out OR pay for actual service.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 2:30 pm
by dspaan
2) Kumba (and others) log on during slow times at the job. If he's busy this season, he'll be back when he's NOT busy any more. Just like anyone else, a short vacation from the real job can result in a month or two offline here while catching up. The solution to that is to wait it out OR pay for actual service.


I thought vicibox development was a one man show development by him that's why i asked. Is he a vicidial employee? For some reason i thought he worked freelance, don't know where i got that from.

Vicidial has methods recently to lock out after failure attempts


Which methods are these? I want to set that up.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 2:40 pm
by williamconley
dspaan wrote:
Vicidial has methods recently to lock out after failure attempts


Which methods are these? I want to set that up.

Nobody has asked us to delve into this as yet. But we've had a couple clients locked out from "too many attempts". So it's in there somewhere in the latest version. Not sure where it is or when it was added.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 2:57 pm
by dspaan
Ah yes, i know that for the manager login you have a lockout feature. In order to reset you have to press the submit button on the user modify page without changing anything. I was more thingking of a lockout for the dynamic portal for vicibox.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 3:19 pm
by williamconley
dspaan wrote:Ah yes, i know that for the manager login you have a lockout feature. In order to reset you have to press the submit button on the user modify page without changing anything. I was more thingking of a lockout for the dynamic portal for vicibox.

Are you suggesting that the Agent login does not share the lockout feature? Have you tested this?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 4:04 pm
by dspaan
No i don't know that and didn't test. I only know about the manager lockout from experience.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Tue Nov 27, 2018 4:22 pm
by williamconley
Dude! Test it and report back. I'll wait here. 8-)

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Nov 28, 2018 10:40 am
by dspaan
I just tried it over 5 times but didn't get locked out. So no mechanism for agent brute force.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Nov 28, 2018 11:53 am
by blackbird2306
130603-2208 - Added login lockout for 15 minutes after 10 failed logins, and other security fixes

The lockout feature is there since 2013, but triggers after 10 fails and locks only for 15 minutes, which is quite short.
You can change these hardcoded values in both functions.php files (agc and vicidial directory)
Code: Select all
$LOCK_over = ($STARTtime - 900); # failed login lockout time is 15 minutes(900 seconds)
$LOCK_trigger_attempts = 10;

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Nov 28, 2018 1:09 pm
by Kumba
You can fix the VB-Firewall.pl iptables error message by doing the following :

Code: Select all
sed -i 's+`iptables+`/usr/sbin/iptables+g' /usr/local/bin/VB-firewall.pl



I'll be adding this to the bugfix thread.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Nov 28, 2018 1:21 pm
by dspaan
Kumba wrote:You can fix the VB-Firewall.pl iptables error message by doing the following :

Code: Select all
sed -i 's+`iptables+`/usr/sbin/iptables+g' /usr/local/bin/VB-firewall.pl



I'll be adding this to the bugfix thread.


Thanks!!!

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Nov 28, 2018 3:02 pm
by williamconley
blackbird2306 wrote:
130603-2208 - Added login lockout for 15 minutes after 10 failed logins, and other security fixes

The lockout feature is there since 2013, but triggers after 10 fails and locks only for 15 minutes, which is quite short.
You can change these hardcoded values in both functions.php files (agc and vicidial directory)
Code: Select all
$LOCK_over = ($STARTtime - 900); # failed login lockout time is 15 minutes(900 seconds)
$LOCK_trigger_attempts = 10;

Excellent post. That should be a Settings Container value instead, dontcha think?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Nov 29, 2018 3:21 am
by dspaan
Are you sure the lockout isn't just for admins? I just tried logging in 12 times with a wrong password as agent and no lockout.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Nov 29, 2018 10:27 am
by blackbird2306
williamconley wrote:Excellent post. That should be a Settings Container value instead, dontcha think?

Thank you :D . Yes that was my first thought too.

dspaan wrote:Are you sure the lockout isn't just for admins? I just tried logging in 12 times with a wrong password as agent and no lockout.

Yes it's for agent and admin login. You are getting this message: "Too many login attempts, try again in 15 minutes".
But it isn't the same like a blocking firewall. The lockout is only for this particular user account. Means you are not able to login only into this account e.g. user "2000", but it's possible to go further and try another account like "3000". For example: 10 times fail user 2000, 10x times fail user 3000 and after 15 minutes wait time you can try user 2000 again. It would be not that difficult and much more effective to implement an IP block after these 10 fail attempts, because the IP is logged in the db. But I think Matt was concerned about blocking accidently all agents of a whole call center in some case with same IP from login.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Nov 29, 2018 11:20 am
by dspaan
Yeah an IP block for new IP's would be a better blocking system. Accidentally blocking a local network could be prevented if it were added to the new IP lists setting. By the way i'm not getting that too many login attemts message. What could be causing it not to work?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Nov 29, 2018 12:16 pm
by blackbird2306
Seems to me like a small bug. You have to select an existing and allowed campaign at login page otherwise there is no block. But there is also a more or less new IP whitelist option, which you can enable in system settings (Allow IP Lists)

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Nov 29, 2018 5:32 pm
by dspaan
Yes, i'm using the whitelist in conjunction with the new vicibox firewall.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Mon Dec 03, 2018 2:48 pm
by dspaan
Question: The new white/dynamic options don't open up ports 10000:20000 UPD. Is that correct?

Does this mean i have to keep these open under allowed services in YAST?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Mon Dec 03, 2018 4:44 pm
by williamconley
Those should auto-authorized under "related" or similar. Have you tested?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Mon Dec 03, 2018 4:49 pm
by dspaan
Yes in my tests i noticed i didn't have RTP and the connection would be dropped after 60 seconds that's how i found out. I had to open them up in yast firewall. It would make sense to me if the white/dynamic process would open these ports too. I can't really say what the security risk is of having those ports open to the public.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Mon Dec 03, 2018 5:16 pm
by williamconley
dspaan wrote:Yes in my tests i noticed i didn't have RTP and the connection would be dropped after 60 seconds that's how i found out. I had to open them up in yast firewall. It would make sense to me if the white/dynamic process would open these ports too. I can't really say what the security risk is of having those ports open to the public.

It's not as bad as other ports, but it tempts the script kiddies to poke and prod randomly and eventually becomes problematic. Certainly viable for testing, but should only be opened to SIP clients.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 02, 2019 5:23 pm
by alo
Is it still recommended to block ping as well here?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Jan 03, 2019 3:05 am
by williamconley
Yes. Block literally everything. Anyone NOT on your whitelist should get zero response exactly as if there was no device on that IP address.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Jan 03, 2019 4:20 am
by dspaan
I'm hoping the feature gets added that ports 10000-20000 are also controlled by the VB firewall.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 09, 2019 8:18 pm
by rajivtech22
How to add IP in whitelist ?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Jan 10, 2019 3:33 pm
by dspaan
Go to Admin>IP list and create the ViCiWhite list there.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 1:58 pm
by rajivtech22
There is no option in Admin tab. if possible can anyone share link to the option. thanks

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:00 pm
by dspaan
You have to go to System settings en enable IP lists first and also in your personal account give yourself permission to edit IP lists.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:16 pm
by williamconley
rajivtech22 wrote:There is no option in Admin tab. if possible can anyone share link to the option. thanks

Which installer did you use? Which Version of Vicidial are you using? If your install is old, this option won't be available until you upgrade. Also some of the firewall features are in the installer.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:20 pm
by rajivtech22
I am using ViciBox_v8_1.x86_64-8.1.2.iso .

SVN Version: 3059

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:28 pm
by williamconley
rajivtech22 wrote:I am using ViciBox_v8_1.x86_64-8.1.2.iso .

SVN Version: 3059

Vicidial Version with Build (the single most important piece of information about your install). Always include that with each post/question. Put it in your signature so you can't forget it if you need to.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:35 pm
by rajivtech22
Sorry for partial info. here is the full info

Vicibox 8.1.2 from .iso | VERSION: 2.14-695a BUILD: 181116-1133

i have found how to enable IP List from system settings. Thanks

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jan 23, 2019 2:47 pm
by williamconley
Excellent postback. And you worked it out for yourself. Cool. 8-)

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Thu Jan 31, 2019 7:36 am
by sadikhov
How to add subnets permanently in the WHITELISTNETS?

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Sun Mar 10, 2019 4:09 pm
by dspaan
So far i've been succesfully using the VB firewall on my single server vicibox express installs. But now i'm working on a cluster and i'm wondering what the configuration steps are in this case? I'm using the vicifull option that opens up the sip and web ports.

First thing i noticed i had to open up port 443/80 on my web server in the cluster otherwise i could not connect even though my IP is in the ViciWhite list.

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jul 31, 2019 6:10 pm
by davesdatasystems
OK, i think i am a moron

trying to use the vicidial firewall.

In simple terms, could someone tell me how to use the white list, i went through the thread and did not find a answer, i want to do a all out block other than the stuff that is on my ip list.

I have turned it on, i have activated the white list, but the issue is, it is not blocking anything, and i cant seem to even keep it "enabled"

Even when it shows enabled, its not even blocking sip traffic, i know i am missing something simple, but i am missing it

thanks

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jul 31, 2019 6:30 pm
by williamconley
when you are "whitelisted", you are not "blocking sip traffic". You are blocking EVERYTHING unless it's been specifically authorized. Most firewall systems are (?? WTF?) set up to "allow everything" and then block certain items. So the first thing you have to do is remove any "allow everything" entries that exist and change all the defaults to "drop".

In the case of the Vicidial system, I think there are some entries in yast firewall "allowing" sip, http, ssh. Probably in the "advanced" section (bottom right corner) of "Allowed Services". If there is a list of open ports there, obviously that contradicts the "whitelist only" concept and those have to be removed before whitelisting can work.

But this is unique to OpenSuSE/yast. Every freakin' system is different. lol

Re: The new Vicibox 8.1 integrated firewall

PostPosted: Wed Jul 31, 2019 7:14 pm
by davesdatasystems
Thanks William for the detailed answer, that helps a lot.

My only other concern is how to keep the whitelist enabled on restarts. I noticed that after i restart, it defaulted back to disabled.