Secure FreePBX with Firewall to prevent hacking

I was in the process of setting up a new pbx to move off our current hosted pbx. After having it idle for a few months, and getting back to working with it past few days, I discovered it was recently hacked with the mgknight everyone has been talking about. After going thru trying to clean it up, I finally ditched the VM and have done a fresh beta install. The pbx is setup on our lan, behind a pfSense firewall, and I am going to lock this down tight this time. Before I had the RTP and Sip ports allowed thru firewall to anyone, but I am only allowing my remote office ip’s thru firewall now, to both sip and rtp. I am sure I will have to allow traffic on some ports to my sip trunk provider, but do I have to allow public access to anything, or will all traffic go to my sip trunk provider? Just looking for the best rules to put in place to prevent having to worry about this again. Thanks

Mike

I’ve been doing this for a couple of years or more, I have helped to fund both Chinese Universities and Palastinians, I regret both . . .

A few suggestions,

Never use beta software unless you are prepared to add risk.
Never run a SIP server on 5060 nor a wb server on 80/443, it will be attacked in minutes.
Always add a rootkit analysis tool, it will notify you of things that you need to know about, maybe not immediately but within a day.
Always add a local iptables based firewall, running without one is just plain neglectful.
Never have a mysql root account not protected by a password
watch sensitive directory structures like /etc/asterisk and /var/www/html for unrequested changes.

If you follow these suggestions then I am pretty sure you will never see mr. mgknight or his ilk again.

My recipe is

Install the OS (you will need one, I use Debian)
Install rkhunter (without that you fly with your trousers unbelted from that point on)
install csf/lfd for a secure firewall with LFD adding all sorts of checks including the directory ones I spoke about before, follow the audit script, you will need webmin to do that, don’t let any one say that is intrinsically a bad thing (you would be surprised by how necessary that is)
install fail2ban (0.9+ for best effect unfortunatley not working on redhat based distros yet) if properly configured , it will protect all sorts of services you might be tempted to run including postfix, apache, ssh, webmin etc. etc. etc.
install a lamp stack whilst changing the mysql root password to something only you will remember
Install FreePBX, bearing in mind that FreePBX assumes you have no need for a root password, which you now do (go figure that one )

Of course there is a little RTFM’ing on each step, but I am pretty sure that with little theatricality, you would not have been subject to the latest round of FreePBX/bash penetrations, it’s just pragmatic common sense

To forestall the VPN arguments, no I have not the time nor the inclination to support installing VPN software on everything from my granny’s Win98 to a CEO’s humility impaired idea of how Iphone 8+ should work, apparently nor do you, if the bad guys find you on port “WTF” then you chose a bad one, change it

p.s. You will ALWAYS have to worry about security, if you don’t you will sooner or later pay big bucks, there is no known solution to that.

Sounds like you have been doing this for awhile. Are there any ports that need to be opened up to the world, if all your phones are internal with the pbx server? Does the server connect directly to the destination where a voip phone calls, or does all traffic go to the sip trunk provider? If it only goes to the trunk provider, and all phones are inside, and you do not need any outside access to the server, do you have to open ports to the world?

Yes, as I said, more than a couple of years

No, specifically NONE from “the world” specifically you probably only need ports 123 to/from your chosen ntp server and 5060/tcp/udp as required (if that is what they use. best to just use something else if they support it) to your VSP, also port 53 for DNS resolution, outbound mail needs 25 and inbound ssh for management should be reconfigured securely on any port above 1024, that would probably be a bare minimum, rtp ports should normally be negotiated and allowed as “related” ( I await for valid addenda from others) . Of course add your hopefully now nonstandard http(s) tcp ports so your customer portal work

There are many examples of reasonable restrictive iptables rules out there in google

Well, as I had indicated previously the PBX is going to be located internally, so all the required services (ntp, dns, mail) will be accessed locally from inside the firewall. As far as ssh / http management / user portals, those will be accessed internally, or I already have openvpn setup on the firewall, and if someone needs access outside, they will connect via that.

So in all reality, port 5060 or whatever port I need to connect to my trunk is the only port that needs outside world availability, am I correct in reading this? RTP ports are only between phones and pbx from what I understand.

From what I understand of reading of the attacks people have on servers, most of them come in either via an unsecured internet accesiable phone, or one of the open sip / management ports / or user portal pages on the pbx, so if those are eliminated, the threat should be as well?

You will need to allow SIP and RTP into the system from the Internet. Lock SIP down to your providers IP address and let RTP in from everywhere. Since you have an OpenVPN server why not just build VPN from your remote sites.

Yes, I will be doing VPN from my other sites, and even if its not VPN, I can firewall the IP’s they come from and allow traffic only from my whitelisted addresses. The part I am unsure about is the outside traffic, which is not my other site or users. So the RTP by default is 10k-20k, and that needs to be accessible from anywhere, is that suggested change range to a custom? Then allow SIP 5060 into server, from my trunk provider, but no one else needs access to that? Been searching but nothing online is very straight on answering minimal required ports and who or what accesses them.

The absolute minimal requirements for SIP are one UDP or TCP port for signalling and two sequential UDP ports (they need to start with an even number) for each concurrent call, the ports used are determined by /etc/asterisk/rtp*.conf hierarchy and the SIP bindport somewhere in your /etc/asterisk/sip*.conf heirarchy.

Firewalls ( iptables if you do it locally you are on your own with a hardware solution ), access can further restrict by host to your SIP bound port only necessary endpoints, including but not necessarily limited to your VSP’s.

I suggested you add 123 and 53 because linux servers really need accurate time and global name resolution or “bad things can happen”. If you care to add vpn or ssh (hopefully not on 22) then your system will start to be actually controllable from the internet , otherwise you are limited to your intranet/(lan), you can easily access the GUI through either protocol, for ssh just google how to forward internal services or use socat/netcat

I agreee with Dick on most of his points, but if you have a decent firewall distro (PFSense, IPFire), there is no need to forward DNS or NTP, as they will provide a DNS proxy and allow NTP through without forwarding a port. Definitely tie SIP, RTP, and anything else you forward through to your host to known trusted hosts only.

True if you trust your firewall, but your iptables rules would still need to allow 123 and 53 in and out to your proxy (the external firewall) to get those service. Be careful to not “split” your firewall responsibilities, only trust what you have total knowledge/control over.