Skip to content

FreeBSD Updates #453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nunziotocci wants to merge 1 commit into
base: master
Choose a base branch
from
Open

FreeBSD Updates #453

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion freebsd/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,13 @@ if [ .$portsnap_enabled = .'true' ]; then
fi

#PF - Packet Filter
if [ .$firewall_enabled = .'true' ]; then
if [ .$firewall_enabled = .'pf' ]; then
resources/pf.sh
fi
#IPFW - Kernel Firewall
if [ .$firewall_enabled = .'ipfw' ]; then
resources/ipfw.sh
fi

#sngrep
if [ .$sngrep_enabled = .'true' ]; then
Expand Down
6 changes: 3 additions & 3 deletions freebsd/resources/config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
domain_name=hostname # hostname, ip_address or a custom value
system_username=admin # default username admin
system_password=random # random or as a pre-set value
system_branch=5.3 # master, 5.3
system_branch=5.4 # master, 5.3

# FreeSWITCH Settings
switch_enabled=true # true or false
Expand All @@ -16,13 +16,13 @@ database_name=fusionpbx # Database name (safe characters A-Z, a-z, 0-9)
database_username=fusionpbx # Database username (safe characters A-Z, a-z, 0-9)
database_password=random # random or a custom value (safe characters A-Z, a-z, 0-9)
database_enabled=true # true or false
database_version=15 # Postgres 16, 15, 14, 13, 12
database_version=17 # Postgres 16, 15, 14, 13, 12
database_host=127.0.0.1 # hostname or IP address
database_port=5432 # port number
database_backup=false # true or false

# Firewall Settings
firewall_enabled=true # true or false
firewall_enabled=ipfw # ipfw, pf, or false

# General Settings
interface_name=auto # auto, em0, igb0, vtnet0, or other valid names
Expand Down
4 changes: 2 additions & 2 deletions freebsd/resources/fail2ban.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ cd "$(dirname "$0")"
verbose "Installing Fail2ban"

#add the dependencies
pkg install --yes py39-fail2ban
pkg install --yes py311-fail2ban

#enable fail2ban service
echo 'fail2ban_enable="YES"' >> /etc/rc.conf
Expand All @@ -24,7 +24,7 @@ cp fail2ban/freeswitch.conf /usr/local/etc/fail2ban/filter.d/freeswitch.conf
cp fail2ban/fusionpbx.conf /usr/local/etc/fail2ban/filter.d/fusionpbx.conf
cp fail2ban/nginx-404.conf /usr/local/etc/fail2ban/filter.d/nginx-404.conf
cp fail2ban/nginx-dos.conf /usr/local/etc/fail2ban/filter.d/nginx-dos.conf
cp fail2ban/jail.local /usr/local/etc/fail2ban/jail.local
cp fail2ban/jail.local.$firewall_enabled /usr/local/etc/fail2ban/jail.local
cp fail2ban/sip-auth-challenge-ip.conf /usr/local/etc/fail2ban/filter.d/sip-auth-challenge-ip.conf
cp fail2ban/sip-auth-challenge.conf /usr/local/etc/fail2ban/filter.d/sip-auth-challenge.conf

Expand Down
97 changes: 97 additions & 0 deletions freebsd/resources/fail2ban/jail.local.ipfw
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
[freeswitch]
enabled = true
port = 5060:5091
protocol = all
filter = freeswitch
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 5
findtime = 600
action = bsd-ipfw[table=1]
bantime = 3600
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed

[freeswitch-ip]
enabled = false
port = 5060:5091
protocol = all
filter = freeswitch-ip
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 1
findtime = 30
action = bsd-ipfw[table=1]
bantime = 86400

[sip-auth-challenge-ip]
enabled = false
port = 5060:5091
protocol = all
filter = sip-auth-challenge-ip
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 1
findtime = 30
action = bsd-ipfw[table=1]
bantime = 86400

[sip-auth-challenge]
enabled = true
port = 5060:5091
protocol = all
filter = sip-auth-challenge
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 50
findtime = 30
action = bsd-ipfw[table=1]
bantime = 7200

[freeswitch-404]
enabled = false
port = 5060:5091
protocol = all
filter = freeswitch-404
logpath = /var/log/freeswitch/freeswitch.log
#logpath = /usr/local/freeswitch/log/freeswitch.log
maxretry = 3
findtime = 300
action = bsd-ipfw[table=1]
bantime = 86400

[fusionpbx]
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx
logpath = /var/log/auth.log
# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
maxretry = 10
findtime = 600
action = bsd-ipfw[table=1]
bantime = 3600

[nginx-404]
enabled = true
port = 80,443
protocol = tcp
filter = nginx-404
logpath = /var/log/nginx/access*.log
findtime = 60
maxretry = 120
action = bsd-ipfw[table=1]
bantime = 3600

[nginx-dos]
# Based on apache-badbots but a simple IP check (any IP requesting more than
# 300 pages in 60 seconds, or 5p/s average, is suspicious)
# Block for two full days.
enabled = false
port = 80,443
protocol = tcp
filter = nginx-dos
logpath = /var/log/nginx/access*.log
findtime = 60
maxretry = 300
action = bsd-ipfw[table=1]
bantime = 86400
0 freebsd/resources/fail2ban/jail.local → freebsd/resources/fail2ban/jail.local.pf
View file
Open in desktop
File renamed without changes.
6 changes: 3 additions & 3 deletions freebsd/resources/finish.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ if [ .$nginx_enabled = .'true' ]; then

#update application defaults
if [ .$nginx_enabled = .'true' ]; then
cd /usr/local/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --defaults
cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --defaults
fi

#add the user
Expand Down Expand Up @@ -97,11 +97,11 @@ if [ .$nginx_enabled = .'true' ]; then

#update application defaults
if [ .$nginx_enabled = .'true' ]; then
cd /usr/local/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --defaults
cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --defaults
fi

#update permissions
#cd /var/www/fusionpbx && /usr/bin/php /var/www/fusionpbx/core/upgrade/upgrade.php --permissions
#cd /usr/local/www/fusionpbx && /usr/local/bin/php /usr/local/www/fusionpbx/core/upgrade/upgrade.php --permissions

#reset the current working directory
cd $cwd
Expand Down
22 changes: 22 additions & 0 deletions freebsd/resources/ipfw.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
#!/bin/sh

#move to script directory so all relative paths work
cd "$(dirname "$0")"

. ./config.sh
. ./colors.sh

#send a message
verbose "Configuring IPFW"

#enable the service
echo 'firewall_enable="YES"' >> /etc/rc.conf
echo 'firewall_script="/etc/ipfw.rules"' >> /etc/rc.conf
echo 'firewall_logging="YES"' >> /etc/rc.conf

echo 'net.inet.ip.fw.one_pass=0' >> /etc/sysctl.conf

#copy the pf config file
cp ipfw/ipfw.rules /etc/ipfw.rules

service ipfw start
29 changes: 29 additions & 0 deletions freebsd/resources/ipfw/ipfw.rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
ipfw -f flush

# reassemble traffice
ipfw add 001 reass all from any to any

# allow traffic on loopback
ipfw add 010 allow ip from any to any via lo0

# fail2ban
ipfw add 020 deny ip from table\(1\) to any

ipfw add 100 check-state

# allow outbound
ipfw add 110 allow ip from me to any keep-state

# allow icmp
ipfw add 120 allow icmp from any to any keep-state
ipfw add 121 allow ipv6-icmp from any to any keep-state

# allow ports
ipfw add 150 allow tcp from any to me 80 keep-state
ipfw add 151 allow tcp from any to me 443 keep-state
ipfw add 152 allow tcp from any to me 7443 keep-state
ipfw add 153 allow tcp from any to me 5060-5091 keep-state
ipfw add 154 allow udp from any to me 5060-5091 keep-state
ipfw add 154 allow udp from any to me 16384-32768 keep-state

ipfw add 500 deny all from any to any
7 changes: 7 additions & 0 deletions freebsd/resources/postgresql.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ password=$(cat /dev/random | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 20)
echo "Install PostgreSQL and create the database and users\n"

#postgres install
if [ ."$database_version" = ."17" ]; then
pkg install --yes postgresql17-server
#cd /usr/ports/databases/postgresql17-server/ && make install clean BATCH=yes
fi
if [ ."$database_version" = ."16" ]; then
echo "IGNORE_DEPENDS=postgresql15-client" >> /usr/local/etc/pkg.conf
pkg install --yes postgresql16-server
Expand Down Expand Up @@ -53,6 +57,9 @@ echo 'postgresql_enable=true' >> /etc/rc.conf
/usr/local/etc/rc.d/postgresql initdb

#start postgresql
if [ ."$database_version" = ."17" ]; then
sudo -u postgres /usr/local/bin/pg_ctl -D /var/db/postgres/data17 start
fi
if [ ."$database_version" = ."16" ]; then
sudo -u postgres /usr/local/bin/pg_ctl -D /var/db/postgres/data16 start
fi
Expand Down