Build It and Ignore It really doesn't work


(Tom Ray) #1

So building your FreePBX system and then never touching it again in regards to updates is a poor way to manage your system. Just ask these 1200 companies that didn’t roll out a security patch from a year ago.

Now what interests me on this is where these Distro/PBXact based systems or just standalone FreePBX installs. Because I’ve said it before and I’ll say it again, the non-Distro release of FreePBX lacks serious security as it has no real default firewall. That is something that should be addressed.


(Jared Busch) #2

And how would you address it. Because it is not the distro, there is no way for FreePBX to know what is running all the little things under the hood.

At that point, it is people just installing a GUI on top of Asterisk on top of $operatingsystemofchoice


(Tom Ray) #3

So you’re saying if I install FreePBX without the Distro the software doesn’t know what’s under the hood? It requires the Distro to know what is HTTP/S, FTP, TFTP, SIP, etc? That’s a pretty weak argument.

Yes and the security vulnerabilities are all GUI based on what FreePBX adds to the system to control Asterisk. All of these vulnerabilities are based on the FreePBX part not the Asterisk or OS part. So no, at that point it’s people installing FreePBX on a system that FreePBX wants control over all aspects of the system.

If FreePBX wants to be the boss of the system when installed, it should deal with the security aspects as well.


#4

Manual install is considered to be for “experts”; maybe some people overestimate their level of expertise. Distro is the better choice unless you are a Linux, web server, pbx, and firewall expert.


(Tom Ray) #5

So what you’re saying is that the Firewall module, which is AGPL, shouldn’t be available to people who decide to not run the commercial platform?


#6

I didn’t say that. I understand it is currently tied up with the sysadmin module which is tied to centos and old php.


(Jared Busch) #7

No it does not. Those are the protocols running on whatever application is serving it. You have to tell it how to connect to them. SIP is the only one “known” because FreePBX is designed to be installed on top of Asterisk.


(Jared Busch) #8

The problem with this statement is that people like Ward script it out so that idiots can install it on a Raspberry Pi.


(Jared Busch) #9

Building anything and then not touching it is a poor way to run anything. This is not exclusive to FreePBX.


(Tom Ray) #10

You understand that when you install FreePBX manually it still wants to perform like a distro install? It still wants to own Apache, MySQL, etc. You can still use the UCP, you can still use XMPP, you still use the admin GUI. So it knows exactly what ports and services are being used by default. The firewall module also allows you to add custom ports, etc and custom rules if needed. This is all controlled by FreePBX logic, so it should know exactly what it needs open/closed, etc.


(Tom Ray) #11

You’re absolutely right. However, in regards to this forum, community and the subject matter of those articles posted I was being specific to other FreePBX users.


#12

Specifically FreePBX provides a front end to Asterisk, it needs a working webserver (not necessarily apache) and PHP and a mysql server. If you use any any commercial modules, you are limited to Centos as an OS, a working Zend and a deprecated version of PHP. Without those commercial restrictions, it will work with most any OS and most any CPU.

There is currently no way to have a working Sangoma firewall if you are ‘off the Reservation’ but don’t let that deter you if you have a Raspberry or like Debian. There are many recipes out there that have worked for many years before Sangoma added a firewall to the Distro.

ANYTHING you ever present to the internet needs protection, if you are uncomfortable with that, don’t do it, If you want a turnkey system that only gets compromised sometimes, use the ‘Distro’ but limit your exposure at your VSP.


(Luke C) #13

I can relate to this thread entirely, because I am not a Freepbx/Asterisk expert. I do Quality Control and Mechanical Design at our shop(50 employees), handling the IT at our shop is something that just kind of got thrown at me as a duty also at the shop over the years…and when our legacy phone system was tanking, I transitioned us to Freepbx.

With that being said, I gained a lot of tips how not to F*** UP from many of the people in this post. Much appreciated!


(Erik Carlseen) #14

It’s great the systems like FreePBX make inexpensive VoIP processing accessible, but if you don’t throw at least a modicum of IT expertise at your infrastructure you’re probably going to get hacked. I empathize with not wanting to spend the money on it (most of our customers are small businesses, and many are really struggling this year), but if you don’t you’re playing with fire. Even so, we can usually help manage a FreePBX installation and keep expenses well below a cloud-hosted IPPBX solution.

For what it’s worth, I’ve never been a fan of relying strictly on application-level security for remote attacks and we’ve never used the FreePBX firewall; we deal with connection-level security in other parts of the network (firewall ACLs, DMZs, VPNs, etc.). The only inbound connections from the Internet that we allow are from the explicitly whitelisted IP addresses used by our SIP trunk providers.


(Ted Mittelstaedt) #15

I know this is going to sound like a curmudgeon but for gawd sakes! I’ve run the vanilla distro downloaded right off the FreePBX website for years with a wide assortment of phones on a virtual server. I get that people want to save money but to me the idea of putting it on a Raspberry Pi is crazy stuff. A Rasberry Pi can cost upwards of $40!!! That’s way WAY too expensive!!! A virtual server costs me a lot less than that. I use a Raspberry Pi to run my 7 zone lawn sprinkler system. That’s what those are good for! A phone system??? You have to be joking!!!


#16

I totally agree with this methodology. I front end FreePBX with my own firewall. Remote clients via VPN. Non-standard port for clients that can’t use a VPN, and the FreePBX enhanced firewall too. Also restrict access to and from other LANs to the VOIP LAN, which is extremely important.