Best way to secure public facing FreePBX?


We will be hosting freepbx locally and have some remote clients that will need to connect without VPN.

What’s the best way to secure our instance? I know about fail2ban, changing the default 5060 port, and whitelisting. Is there anything else I should worry about? We currently use VPN but would like to experiment without. We don’t plan on exposing anything except phone registration, everything else will be behind VPN. Thanks!

The other thing to consider is to see if forcing static IPs for the remote endpoints is an option. At that point you can filter inbound traffic just to the set of IPs that you know of/about as well.

So you’re talking about public-facing Asterisk not FreePBX, which is a much safer proposition. Changing port numbers isn’t going to do anything except save your log files from being inundated by the bots. Geographic rules on your firewall are the best bet for blocking them. With proper secrets on all your extensions they won’t be able to do any damage.

In this day and age you should be using TLS on port 5061 though.

I think you should re-think the desire to not use VPN. You can setup the free Untangle firewall on a PC with 2 nics and have a beautiful easy to use GUI wrapper around OpenVPN and they have excellent free community clients for this

If you are already using VPN you have already gone through the user training aspect and the users have already got all the carping out of their system about it. Dropping VPN requirements is taking a step backwards on the security aspect.

Yes, but do you know of an Android or iOS application that uses VPN and meets these two key requirements?

  1. Uses zero additional battery when idle and awaiting a call (push notification).
  2. Requires no additional user action to make or receive calls.

AFAIK, the only one is the proprietary 3CX mobile app, which only works with a 3CX PBX.

IMO, allowing connection via TLS only and requiring a client certificate is comparably secure.


I concur with @Stewart1 , only accept registrations and invites from devices using a domain name, but don’t use the same domain name as any of your public facing services as they might have previously leaked said domain name.

1 Like

Yes, Cisco’s Webex Mobile client and Cisco’s Anyconnect are said to be able to use push notification. Not personally tried it myself, yet.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.