The new Vicibox 8.1 integrated firewall

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Tue Nov 27, 2018 1:55 pm

alexgrad wrote:As the port for the dynamic portal has to be always opened what's the difference to open it on 80/443 or other ports?

Intelligent question!

Answer: Ports 80 & 443 are standard web portals. Script kiddies constantly monitor these ports and collect lists of "available" and share them among groups. You'll notice more and more attempts on more and more known web pages. At first "robots.txt" and the like, but ultimately you'll see attempts to phpMyAdmin "known security risk" pages and ultimately Every Risk (Prior and current) under the sun. And if those attempts meet with Failure or 404 instead of "no response", then you open yourself to being added to yet more attempts. Especially if they find a known login page (sugarCRM? phpMyAdmin?) and fail to log in. Cuz now it's a job for ... Brute Force Scripts! and you end up with a DOS situation due to the brute force attack. Unless they guess a password or find an exploit. Then it's a whole new ballgame.

But on a non-standard port the volume of attack is miniscule at best. There are so many servers out there on the known ports that the non-standards are still being ignored. Plus the Dynamic Good Guys approach didn't expose ANY of the Vicidial or other software: Just a single web page with a special name. Anything else would result in 404. So the only way into the system was to have that link or exploit the 404 page. To date I've not heard of an exploit of the standard 404 page.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Tue Nov 27, 2018 2:13 pm

Then again, i saw on Matt's Twitter feed that last year 11.000 new vicidial installs were done (how are those tracked?), and we can assume that a bunch of them are managed by criminals like those fake microsoft scammers from India. They understand vicidial to some extent. It would be good to have some kind of alert system in case someone tries to log into the dynamic portal and keeps failing and also an increasing inverval lockout system.

PS: Does anyone know when Kumba will be back? He hasn't visited the forum since 13 november. I've sent him a PM last week but no response.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Tue Nov 27, 2018 2:19 pm

dspaan wrote:Then again, i saw on Matt's Twitter feed that last year 11.000 new vicidial installs were done (how are those tracked?), and we can assume that a bunch of them are managed by criminals like those fake microsoft scammers from India. They understand vicidial to some extent. It would be good to have some kind of alert system in case someone tries to log into the dynamic portal and keeps failing and also an increasing inverval lockout system.

PS: Does anyone know when Kumba will be back? He hasn't visited the forum since 13 november. I've sent him a PM last week but no response.

1) We have several systems that lock IPs immediately upon fail. Vicidial has methods recently to lock out after failure attempts, but that just adds a delay and then they will (eventually) rotate IPs. Thus the "You must have this link to attempt login" page. If they actually find the page, change the URL to a new 36-char random value and they won't be finding it again unless they have an "inside" in your office. If they have that, you have bigger fish to fry than the login page, though. lol

2) Kumba (and others) log on during slow times at the job. If he's busy this season, he'll be back when he's NOT busy any more. Just like anyone else, a short vacation from the real job can result in a month or two offline here while catching up. The solution to that is to wait it out OR pay for actual service.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Tue Nov 27, 2018 2:30 pm

2) Kumba (and others) log on during slow times at the job. If he's busy this season, he'll be back when he's NOT busy any more. Just like anyone else, a short vacation from the real job can result in a month or two offline here while catching up. The solution to that is to wait it out OR pay for actual service.


I thought vicibox development was a one man show development by him that's why i asked. Is he a vicidial employee? For some reason i thought he worked freelance, don't know where i got that from.

Vicidial has methods recently to lock out after failure attempts


Which methods are these? I want to set that up.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Tue Nov 27, 2018 2:40 pm

dspaan wrote:
Vicidial has methods recently to lock out after failure attempts


Which methods are these? I want to set that up.

Nobody has asked us to delve into this as yet. But we've had a couple clients locked out from "too many attempts". So it's in there somewhere in the latest version. Not sure where it is or when it was added.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Tue Nov 27, 2018 2:57 pm

Ah yes, i know that for the manager login you have a lockout feature. In order to reset you have to press the submit button on the user modify page without changing anything. I was more thingking of a lockout for the dynamic portal for vicibox.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Tue Nov 27, 2018 3:19 pm

dspaan wrote:Ah yes, i know that for the manager login you have a lockout feature. In order to reset you have to press the submit button on the user modify page without changing anything. I was more thingking of a lockout for the dynamic portal for vicibox.

Are you suggesting that the Agent login does not share the lockout feature? Have you tested this?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Tue Nov 27, 2018 4:04 pm

No i don't know that and didn't test. I only know about the manager lockout from experience.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Tue Nov 27, 2018 4:22 pm

Dude! Test it and report back. I'll wait here. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Wed Nov 28, 2018 10:40 am

I just tried it over 5 times but didn't get locked out. So no mechanism for agent brute force.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby blackbird2306 » Wed Nov 28, 2018 11:53 am

130603-2208 - Added login lockout for 15 minutes after 10 failed logins, and other security fixes

The lockout feature is there since 2013, but triggers after 10 fails and locks only for 15 minutes, which is quite short.
You can change these hardcoded values in both functions.php files (agc and vicidial directory)
Code: Select all
$LOCK_over = ($STARTtime - 900); # failed login lockout time is 15 minutes(900 seconds)
$LOCK_trigger_attempts = 10;
Vicibox 6.0.2 from Vicibox_v.6.0.x86_64-6.0.2.iso | Vicidial 2.12-560a build: 160617-1427 | Asterisk 1.8.32.3
blackbird2306
 
Posts: 409
Joined: Mon Jun 23, 2014 5:31 pm

Re: The new Vicibox 8.1 integrated firewall

Postby Kumba » Wed Nov 28, 2018 1:09 pm

You can fix the VB-Firewall.pl iptables error message by doing the following :

Code: Select all
sed -i 's+`iptables+`/usr/sbin/iptables+g' /usr/local/bin/VB-firewall.pl



I'll be adding this to the bugfix thread.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Wed Nov 28, 2018 1:21 pm

Kumba wrote:You can fix the VB-Firewall.pl iptables error message by doing the following :

Code: Select all
sed -i 's+`iptables+`/usr/sbin/iptables+g' /usr/local/bin/VB-firewall.pl



I'll be adding this to the bugfix thread.


Thanks!!!
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Wed Nov 28, 2018 3:02 pm

blackbird2306 wrote:
130603-2208 - Added login lockout for 15 minutes after 10 failed logins, and other security fixes

The lockout feature is there since 2013, but triggers after 10 fails and locks only for 15 minutes, which is quite short.
You can change these hardcoded values in both functions.php files (agc and vicidial directory)
Code: Select all
$LOCK_over = ($STARTtime - 900); # failed login lockout time is 15 minutes(900 seconds)
$LOCK_trigger_attempts = 10;

Excellent post. That should be a Settings Container value instead, dontcha think?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Thu Nov 29, 2018 3:21 am

Are you sure the lockout isn't just for admins? I just tried logging in 12 times with a wrong password as agent and no lockout.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby blackbird2306 » Thu Nov 29, 2018 10:27 am

williamconley wrote:Excellent post. That should be a Settings Container value instead, dontcha think?

Thank you :D . Yes that was my first thought too.

dspaan wrote:Are you sure the lockout isn't just for admins? I just tried logging in 12 times with a wrong password as agent and no lockout.

Yes it's for agent and admin login. You are getting this message: "Too many login attempts, try again in 15 minutes".
But it isn't the same like a blocking firewall. The lockout is only for this particular user account. Means you are not able to login only into this account e.g. user "2000", but it's possible to go further and try another account like "3000". For example: 10 times fail user 2000, 10x times fail user 3000 and after 15 minutes wait time you can try user 2000 again. It would be not that difficult and much more effective to implement an IP block after these 10 fail attempts, because the IP is logged in the db. But I think Matt was concerned about blocking accidently all agents of a whole call center in some case with same IP from login.
Vicibox 6.0.2 from Vicibox_v.6.0.x86_64-6.0.2.iso | Vicidial 2.12-560a build: 160617-1427 | Asterisk 1.8.32.3
blackbird2306
 
Posts: 409
Joined: Mon Jun 23, 2014 5:31 pm

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Thu Nov 29, 2018 11:20 am

Yeah an IP block for new IP's would be a better blocking system. Accidentally blocking a local network could be prevented if it were added to the new IP lists setting. By the way i'm not getting that too many login attemts message. What could be causing it not to work?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby blackbird2306 » Thu Nov 29, 2018 12:16 pm

Seems to me like a small bug. You have to select an existing and allowed campaign at login page otherwise there is no block. But there is also a more or less new IP whitelist option, which you can enable in system settings (Allow IP Lists)
Vicibox 6.0.2 from Vicibox_v.6.0.x86_64-6.0.2.iso | Vicidial 2.12-560a build: 160617-1427 | Asterisk 1.8.32.3
blackbird2306
 
Posts: 409
Joined: Mon Jun 23, 2014 5:31 pm

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Thu Nov 29, 2018 5:32 pm

Yes, i'm using the whitelist in conjunction with the new vicibox firewall.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Mon Dec 03, 2018 2:48 pm

Question: The new white/dynamic options don't open up ports 10000:20000 UPD. Is that correct?

Does this mean i have to keep these open under allowed services in YAST?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Mon Dec 03, 2018 4:44 pm

Those should auto-authorized under "related" or similar. Have you tested?
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Mon Dec 03, 2018 4:49 pm

Yes in my tests i noticed i didn't have RTP and the connection would be dropped after 60 seconds that's how i found out. I had to open them up in yast firewall. It would make sense to me if the white/dynamic process would open these ports too. I can't really say what the security risk is of having those ports open to the public.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Mon Dec 03, 2018 5:16 pm

dspaan wrote:Yes in my tests i noticed i didn't have RTP and the connection would be dropped after 60 seconds that's how i found out. I had to open them up in yast firewall. It would make sense to me if the white/dynamic process would open these ports too. I can't really say what the security risk is of having those ports open to the public.

It's not as bad as other ports, but it tempts the script kiddies to poke and prod randomly and eventually becomes problematic. Certainly viable for testing, but should only be opened to SIP clients.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby alo » Wed Jan 02, 2019 5:23 pm

Is it still recommended to block ping as well here?
alo
 
Posts: 187
Joined: Wed Jun 20, 2012 10:21 am

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Thu Jan 03, 2019 3:05 am

Yes. Block literally everything. Anyone NOT on your whitelist should get zero response exactly as if there was no device on that IP address.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Thu Jan 03, 2019 4:20 am

I'm hoping the feature gets added that ports 10000-20000 are also controlled by the VB firewall.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby rajivtech22 » Wed Jan 09, 2019 8:18 pm

How to add IP in whitelist ?
Vicibox v11 from .iso | VERSION: 2.14b0.5 BUILD: 231227-2217 | SVN Version: 3796| Asterisk 16.30.0-vici | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Dell PowerEdge CS24-SC | Intel Xeon E5-2697A / 512 SSD / 64 GB
rajivtech22
 
Posts: 37
Joined: Fri Jul 26, 2013 3:07 pm

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Thu Jan 10, 2019 3:33 pm

Go to Admin>IP list and create the ViCiWhite list there.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby rajivtech22 » Wed Jan 23, 2019 1:58 pm

There is no option in Admin tab. if possible can anyone share link to the option. thanks
Vicibox v11 from .iso | VERSION: 2.14b0.5 BUILD: 231227-2217 | SVN Version: 3796| Asterisk 16.30.0-vici | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Dell PowerEdge CS24-SC | Intel Xeon E5-2697A / 512 SSD / 64 GB
rajivtech22
 
Posts: 37
Joined: Fri Jul 26, 2013 3:07 pm

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Wed Jan 23, 2019 2:00 pm

You have to go to System settings en enable IP lists first and also in your personal account give yourself permission to edit IP lists.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Wed Jan 23, 2019 2:16 pm

rajivtech22 wrote:There is no option in Admin tab. if possible can anyone share link to the option. thanks

Which installer did you use? Which Version of Vicidial are you using? If your install is old, this option won't be available until you upgrade. Also some of the firewall features are in the installer.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby rajivtech22 » Wed Jan 23, 2019 2:20 pm

I am using ViciBox_v8_1.x86_64-8.1.2.iso .

SVN Version: 3059
Vicibox v11 from .iso | VERSION: 2.14b0.5 BUILD: 231227-2217 | SVN Version: 3796| Asterisk 16.30.0-vici | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Dell PowerEdge CS24-SC | Intel Xeon E5-2697A / 512 SSD / 64 GB
rajivtech22
 
Posts: 37
Joined: Fri Jul 26, 2013 3:07 pm

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Wed Jan 23, 2019 2:28 pm

rajivtech22 wrote:I am using ViciBox_v8_1.x86_64-8.1.2.iso .

SVN Version: 3059

Vicidial Version with Build (the single most important piece of information about your install). Always include that with each post/question. Put it in your signature so you can't forget it if you need to.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby rajivtech22 » Wed Jan 23, 2019 2:35 pm

Sorry for partial info. here is the full info

Vicibox 8.1.2 from .iso | VERSION: 2.14-695a BUILD: 181116-1133

i have found how to enable IP List from system settings. Thanks
Vicibox v11 from .iso | VERSION: 2.14b0.5 BUILD: 231227-2217 | SVN Version: 3796| Asterisk 16.30.0-vici | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Dell PowerEdge CS24-SC | Intel Xeon E5-2697A / 512 SSD / 64 GB
rajivtech22
 
Posts: 37
Joined: Fri Jul 26, 2013 3:07 pm

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Wed Jan 23, 2019 2:47 pm

Excellent postback. And you worked it out for yourself. Cool. 8-)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby sadikhov » Thu Jan 31, 2019 7:36 am

How to add subnets permanently in the WHITELISTNETS?
sadikhov
 
Posts: 41
Joined: Tue Jan 24, 2012 4:49 am
Location: PHILIPPINES

Re: The new Vicibox 8.1 integrated firewall

Postby dspaan » Sun Mar 10, 2019 4:09 pm

So far i've been succesfully using the VB firewall on my single server vicibox express installs. But now i'm working on a cluster and i'm wondering what the configuration steps are in this case? I'm using the vicifull option that opens up the sip and web ports.

First thing i noticed i had to open up port 443/80 on my web server in the cluster otherwise i could not connect even though my IP is in the ViciWhite list.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1374
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: The new Vicibox 8.1 integrated firewall

Postby davesdatasystems » Wed Jul 31, 2019 6:10 pm

OK, i think i am a moron

trying to use the vicidial firewall.

In simple terms, could someone tell me how to use the white list, i went through the thread and did not find a answer, i want to do a all out block other than the stuff that is on my ip list.

I have turned it on, i have activated the white list, but the issue is, it is not blocking anything, and i cant seem to even keep it "enabled"

Even when it shows enabled, its not even blocking sip traffic, i know i am missing something simple, but i am missing it

thanks
VICIBOX V10 installed via USB
VERSION: 2.14b0.5
BUILD: 220831-0850
Asterisk 13.38.2-vici
SVN: 3641 (at time of this signature edit)
Custom PC
No Extra Software After Installation
davesdatasystems
 
Posts: 132
Joined: Thu Aug 25, 2011 11:39 am

Re: The new Vicibox 8.1 integrated firewall

Postby williamconley » Wed Jul 31, 2019 6:30 pm

when you are "whitelisted", you are not "blocking sip traffic". You are blocking EVERYTHING unless it's been specifically authorized. Most firewall systems are (?? WTF?) set up to "allow everything" and then block certain items. So the first thing you have to do is remove any "allow everything" entries that exist and change all the defaults to "drop".

In the case of the Vicidial system, I think there are some entries in yast firewall "allowing" sip, http, ssh. Probably in the "advanced" section (bottom right corner) of "Allowed Services". If there is a list of open ports there, obviously that contradicts the "whitelist only" concept and those have to be removed before whitelisting can work.

But this is unique to OpenSuSE/yast. Every freakin' system is different. lol
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: The new Vicibox 8.1 integrated firewall

Postby davesdatasystems » Wed Jul 31, 2019 7:14 pm

Thanks William for the detailed answer, that helps a lot.

My only other concern is how to keep the whitelist enabled on restarts. I noticed that after i restart, it defaulted back to disabled.
VICIBOX V10 installed via USB
VERSION: 2.14b0.5
BUILD: 220831-0850
Asterisk 13.38.2-vici
SVN: 3641 (at time of this signature edit)
Custom PC
No Extra Software After Installation
davesdatasystems
 
Posts: 132
Joined: Thu Aug 25, 2011 11:39 am

PreviousNext

Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 36 guests