Friday, April 22, 2016

CSF firewall installation and configuration for VOIP/PBX systems-Part 1

During installation of any PBX/VOIP systems, security is one of the first thing you should consider in mind as compromising the system may bring greater loss especially interms of Money. There are different ways of securing voip/pbx systems but this how to is going to explain how to lock it down completely by blocking all standard ports not accessible from the Internet and being only accessible via the specified subnet while allowing only specified ports to allow users being able to call and receive the calls.
This howto's is divided into two main parts, part 1 (involves firewall installation) and part 2 will concentrate on configuration of your firewall to meet your needs,below are steps.

a. Webmin installation
b. Csf Installation
c. Firewall configuration

a. Webmin Installation
Webmin is a web-based graphical tool for unix . It is used to manage services like User management, Disk managemet, Network, Iptables ( Firewall ), Cron, Apache, DNS, File sharing and much more.Webmin is a web hosting control panel like cpanel which provides easy to use interface for managing Unix like systems.

i. Install required packages first.
# yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty

ii. Install Webmin.

Make sure to check for the latest version here (http://www.webmin.com/download.html). As the time of writting of this document the latest version is 1.791.
# yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.791-1.noarch.rpm


The installation will be done automatically to the directory /usr/libexec/webmin, the administration username set to root and the password to your current root password. You should now be able to login to Webmin at the URL http://localhost:10000/. Or if accessing it remotely, replace localhost with your system's IP address.




More tweaks:
-Starting and restarting the service use:
# /etc/init.d/webmin start
# /etc/init.d/webmin stop
# /etc/init.d/webmin restart
# /etc/init.d/webmin status
-Changing webmin root password

In order to change webmin root account password use following command. ( Note: It will not change your systems root password )

-Change webmin default port
If you do not want to run webmin with default port, use below steps to change the default port.

Login Webmin as root >> Webmin >> Webmin Configuration >> Ports and Addresses… you can change port there.


b. Csf Installation

CSF(Config Server Firewall) is generally considered a more advanced firewall as there are more configuration options compared to other firewalls, while still being simple enough to install and configure that even novice administrators can use it.An alternative firewall to CSF is the Advanced Policy Firewall or APF.
Installing CSF should be as simple as downloading the source file to your server and installing it, follow the following steps to install it.

i. Migrate to src directory and remove any existed csf file.
# cd /usr/src
# rm -fv csf.tgz
ii. Download the firewall and extract the downloaded file
# wget https://download.configserver.com/csf.tgz
# tar -xzf csf.tgz
iii. Change to csf directory and run installation script
# cd csf
# sh install.sh
iv.Test whether you have the required iptables modules:
# perl /usr/local/csf/bin/csftest.pl
Don't worry if you cannot run all the features, so long as the script doesn't
report any FATAL errors

v. Remove old CSF/APF firewalls

You should not run any other iptables firewall configuration script. For
example, if you previously used APF+BFD you can remove the combination (which
you will need to do if you have them installed otherwise they will conflict):
# sh /usr/local/csf/bin/remove_apf_bfd.sh
vi. Integrating CSF with webmin

Inorder to manage csf firewall on web browser via webmin you're required to Integrate it to webmin.
Install the csf webmin module in:
  Webmin > Webmin Configuration > Webmin Modules >
  From local file > /usr/local/csf/csfwebmin.tgz > Install Module

To access CSF configuration file via Webmin go to System System > Security & Firewall



vii. Uninstallation CSF firewall

Removing csf and lfd is even more simple:
# cd /etc/csf
# sh uninstall.sh
viii. Removing Warning

In case you get this warning below:

*WARNING* URLGET set to use LWP but perl module is not installed, reverting to HTTP::Tiny

When accessing CSF firewall via Webmin, install perl module using command below.
# yum install perl-libwww-perl
That's it, check out part 2 for voip firewall configuration.