Could someone explain the different whitelists and banlist?

VitalPBX Community Support General Discussion Could someone explain the different whitelists and banlist?

Up
0
Down
  • Post
    ICTALL
    Participant

    Hi,

    I noticed VitalPBX has 3x whitelists:

    • Admin -> Security -> Firewall -> WhiteList
    • Admin -> Security -> Intrusion Detection –> WhiteList
    • Admin -> Application Access –> WhiteList

    Also you have a ban list at: 

    • Admin -> Security -> Intrusion Detection –> BanList

     

    Could some one explain when to use which whitelist?
    I can add a dynamic dns to a whitelist, but will it update the IP-address automatically?

    Which of the whitelists add the ip/host to the Iptables?

    If you fail the Intrusion Detection, you will be put on the BANLIST.
    Which of the whitelists will keep you from the banlist?

     

     

    0
Viewing 11 replies - 1 through 11 (of 11 total)
  • Replies

    Intrusion Detection White List applies for Fail2ban,

    Firewall White List, applies for FirewallD and IPTables.

    0
    ICTALL
    Participant

    Ok,

    but when do add IP-addresses to Intrusion Detection White List?

    and when do add IP-addresses to Firewall White List ?

    In general, what the difference between these white list?

     

    0
    • Firewall White List: You may use this white list to allow ports just to certain IP Addresses or range of IP, for example, you may allow the port 5060 only to your local IP range. This white list doesn’t avoid you get banned by fail2ban (Intrusion Detection).
    • Intrusion Detection White List: This white list avoids to get banned, even when you introduce a wrong password multiple time in services like SSH, Asterisk, etc. it is recommendable to introduce your local IP range before to start any configuration in order to avoid being banned.

     

    0
    ICTALL
    Participant

    I have a VitalPBX in Google Cloud. Till now I have been able to access the GUI and extension from several locations/IP-addresses without adding any IP-address to the Firewall White List of Intrusion Detection White List.

    So really the “Intrusion Detection WhiteList”, should be the only White List needed, because the “Firewall White List”, am I right?

     

    0

    You don’t need to add an IP address to Firewall whitelist to have access to the GUI, you only need to do this when you block ports for all IP addresses, but you want to have access from specific IP addresses.

    0
    InTeleSync
    Participant

    I have learned [the hard way] that if you define a Firewall Whitelist, then the behavior will be that ALL connections will be blacklisted with only the Whitelist allowed in. This happens with your first entry into the Firewall Whitelist.

    What’s worse is that if you decide to go and remove all entries from that Firewall Whitelist, essentially taking yourself what you would perceive to be back to the system installation default, then ALL connections will ***continue*** to be blacklisted.

    At that point, particularly if you’re on something like AWS which does not provide a console access, then you’re dorked! The rewrite of iptables from within the VitalPBX GUI needs to accommodate for this type of change accordingly.

    Please fix this VitalPBX.

    As to @ictall’s question, it seems to me that running the Firewall at all on something like GCS/AWS/Azure is not really necessary since there’s a firewall in front of the instance anyways. Of course, with it off then the possibility of dorking yourself becomes less.

    So all this begs the question… If Firewall is Disabled does Intrustion Protection (fail2ban) still work if that is Enabled in the GUI?

    0
    InTeleSync
    Participant

    Please let me reemphasize…. If you put in the first entry into the Firewall Whitelist, from that point forward you are confined to mandatory whitelisting of every single thing that needs to connect. That includes the GUI, SIP endpoints, etc. etc. etc.

    Additionally… You cannot revert back to the default of nothing in the whitelist and allowing connections from everywhere. You’re stuck. As soon as you click “Save” you’re toast.

    Again, please fix this VitalPBX.

    0

    @intelesync

    We made some changes to the firewall structure on VitalPBX v3, which is still under development. 

     

    0
    InTeleSync
    Participant

    @ing-joserivera26

    Good to hear! More info on this topic… I have disabled the Firewall in lieu of just using Intrusion Detection. When changes to Intrusion Detection are made and saved, then I’ve found that a Firewall save must also be performed (even though the firewall is disabled). Without that all extensions and trunks can’t receive inbound. 

    0

    I would like to clarify about how the whitelist works on the Firewall (Firewall-D) and how it works on the Intrusion detection (Fail2ban).

    Firewall WhiteList: Allows to the listed IP access to any port blocked in the firewall. Suppose you have port 80 blocked, and only want to be accessible through your network, so, the only thing you need to do, is to add your network IP to the firewall white list.

    Adding an IP to the firewall whitelist doesn’t avoid you being banned by the fail2ban. Also, this doesn’t mean you need to add each IP from where you want to gain access to the whitelist. If a port is open, it will be accessible for any IP address.

    Intrusion Detection (Fail2ban): This whitelist is to avoid you being banned in case you introduce a wrong password multiple times on different services (SIP, SSH, HTTP). This whitelist to give you access to any blocked port.

    I hope this helps you to understand better how this whitelist works on VitalPBX.

    0
    InTeleSync
    Participant
    Posted by: @ictall

    Hi,

    I noticed VitalPBX has 3x whitelists:

    • Admin -> Security -> Firewall -> WhiteList
    • Admin -> Security -> Intrusion Detection –> WhiteList
    • Admin -> Application Access –> WhiteList

    Also you have a ban list at: 

    • Admin -> Security -> Intrusion Detection –> BanList

     

    Could some one explain when to use which whitelist?
    I can add a dynamic dns to a whitelist, but will it update the IP-address automatically?

    Which of the whitelists add the ip/host to the Iptables?

    If you fail the Intrusion Detection, you will be put on the BANLIST.
    Which of the whitelists will keep you from the banlist?

     

     

    First, my issues above turned out to be getting banned at my own public IP address by Fail2Ban (Intrusion Detection). Yowser! So it’s important that after first build to include your own public IP into the Intrusion Detection Whitelist. Toss in other IP’s such as your office just to be safe.

    To extend the accurate answers already given for clarity and reference …

    Admin -> Security -> Firewall -> Whitelist means Come on in! However, after you’re in you will still be subjected to inspection by Intrusion Detection (Fail2Ban). I think if you’re whitelisting at the firewall, then you probably want to also whitelist at Fail2Ban.

    Admin -> Security -> Intrusion Detection -> Whitelist is the second layer that will inspect individual services such as SIP, HTTP, SSH, etc. after the initial request has made it through the firewall.

    Admin -> Application Access -> Whitelist refers to the locations that want access to the VitalPBX API and/or the Asterisk AMI. ie: Whitelist your web servers or virtual private cloud here.

    I would avoid using dynamic DNS since it can be reversed resolved such as localhost by malicious actors. I wouldn’t think that it would update the IP address automatically, such as altering iptables on the fly. It would resolve on the fly.

    The Firewall Whitelist adds entries to iptables. The Intrusion Detection Whitelist add entries to Fail2Ban’s ignoreip list in jail.local.

    Yes if you fail Intrusion Detection you will be put in the Banlist for Intrusion Detection. The Intrusion Detection Whitelist will keep you from the Intrusion Detection Banlist. The Firewall Whitelist will NOT necessarily keep you from the Intrusion Detection Banlist.

     

    0
Viewing 11 replies - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.