We will be hosting freepbx locally and have some remote clients that will need to connect without VPN.
What’s the best way to secure our instance? I know about fail2ban, changing the default 5060 port, and whitelisting. Is there anything else I should worry about? We currently use VPN but would like to experiment without. We don’t plan on exposing anything except phone registration, everything else will be behind VPN. Thanks!
The other thing to consider is to see if forcing static IPs for the remote endpoints is an option. At that point you can filter inbound traffic just to the set of IPs that you know of/about as well.
So you’re talking about public-facing Asterisk not FreePBX, which is a much safer proposition. Changing port numbers isn’t going to do anything except save your log files from being inundated by the bots. Geographic rules on your firewall are the best bet for blocking them. With proper secrets on all your extensions they won’t be able to do any damage.
In this day and age you should be using TLS on port 5061 though.
I think you should re-think the desire to not use VPN. You can setup the free Untangle firewall on a PC with 2 nics and have a beautiful easy to use GUI wrapper around OpenVPN and they have excellent free community clients for this
If you are already using VPN you have already gone through the user training aspect and the users have already got all the carping out of their system about it. Dropping VPN requirements is taking a step backwards on the security aspect.
I concur with @Stewart1 , only accept registrations and invites from devices using a domain name, but don’t use the same domain name as any of your public facing services as they might have previously leaked said domain name.