Changing HTTP port via SSH

kwriley87 · February 23, 2017, 6:31am

hi all

I changed the HTTP port to 44276 using the sys admin module and once I applied the changes I can no longer access the GUI on 80 or 44276… Where is the config file located where I can go check the port settings via SSH?

Thank you!

lgaetz · February 23, 2017, 12:46pm

Check the file:

/etc/httpd/conf.d/schmoozecom.conf

Marbled · February 23, 2017, 1:30pm

HI!

Are you using the FreePBX firewall?

Maybe it is blocking that port…

I don’t personally use the FreePBX firewall but if I did I would make sure that traffic to that port is allowed…

When I saw your post I wondered why you would want to do that though…

Is it because you want to access many servers behind the same IP or because you want to have your PBX web interface listen to the Internet and instead of allowing access by IP you make it listen on a weird port?

Good luck and have a nice day!

Nick

kwriley87 · February 23, 2017, 3:17pm

I’ve got it working, thank you lgaetz

Marbled - I changed the HTTP port because I have a need to have web access to it opened over the internet so I figured for security reasons I would change the HTTP port and SIP binding ports.

Are there any other additional steps I should take to secure my FreePBX since it is available over the internet via HTTP?

lgaetz · February 23, 2017, 3:22pm

Untrusted access to the Admin interface is not recommended, if at all possible restrict access to trusted hosts.

kwriley87 · February 23, 2017, 3:28pm

We have soft phones connecting from various areas using hotspots with no static IP so would a more realistic idea be to change the SIP binding port for registration purposes and limit the admin interface to a specific IP address?

Marbled · February 23, 2017, 6:02pm

Hi!

That is what I was afraid of and doesn’t offer you much protection against someone who would scan all ports. Well-established protocols like HTTP would be easy to identify once a port is known to be open…

Limit the IPs which can connect to it (ie put an ACL…)…

Connect to the main site using a VPN…

If that is not possible, have them run a software that dynamically updates a DNS entry with they current IP and uses those hostnames in your firewall rules. The firewalls which allow this reevaluate those hostnames from time to time…

I don’t do it for SIP but I do something similar to allow my mobile phone to connect to my network…

This is always best…

Good luck and have a nice day!

Nick