Encryption for manager.conf

LTelephony · 2021-02-15 15:53:07 UTC

Hello together,

i want to setup a PBX which is reachable from the internet.
I already setup everything with IDS and TLS/SRTP, working fine!

But now it comes to TAPI or manager.conf access. I read that i can enable encryption for that here

But how do I do that? I think i have to edit the manager.conf file over console/ssh access right?
But what happens when i install some updates, does the manager.conf gets overwritten than?

PitzKey · 2021-02-16 10:00:39 UTC

There isn’t a manager custom file?

LTelephony · 2021-02-16 11:38:31 UTC

It is
But can I modify the [general] part there?

PitzKey · 2021-02-16 13:37:22 UTC

In the custom file, put something like:

[general](+)
your_setting = true

But I am not sure if enabling encryption under the general settings might break FreePBX

dicko · 2021-02-16 13:18:05 UTC

That first link is from 2008, tls is the new ssl and from

github.com

asterisk/asterisk/blob/master/configs/samples/manager.conf.sample

;
; AMI - The Asterisk Manager Interface
;
; Third party application call management support and PBX event supervision
;
; Use the "manager show commands" at the CLI to list available manager commands
; and their authorization levels.
;
; "manager show command <command>" will show a help text.
;
; ---------------------------- SECURITY NOTE -------------------------------
; Note that you should not enable the AMI on a public IP address. If needed,
; block this TCP port with iptables (or another FW software) and reach it
; with IPsec, SSH, or SSL vpn tunnel.  You can also make the manager
; interface available over http/https if Asterisk's http server is enabled in
; http.conf and if both "enabled" and "webenabled" are set to yes in
; this file.  Both default to no.  httptimeout provides the maximum
; timeout in seconds before a web based session is discarded.  The
; default is 60 seconds.
;

This file has been truncated. show original

we see secure connections by default would be ovrr port 5039, FreePBX only uses 127.0.0.1:5038

IMHO anyone that allows port 5038 through your firewall is exposing a long standing but ubiquitous security risk with FreePBX

LTelephony · 2021-02-16 13:34:37 UTC

Yeah saw that thanks

Soo…

When i manually edit the manager.conf with
tlsenable = yes
tlsbindport = 5039

Its working over tls

Will try it now with [general] (+)

LTelephony · 2021-02-16 13:37:16 UTC

Working
Thanks

LTelephony · 2021-02-16 13:39:22 UTC

Looks like that now

[general] (+)
tlsenable = yes
tlsbindport = 5039
tlsbindaddr = 0.0.0.0
tlscertfile = /etc/asterisk/keys/LE.pem
tlsprivatekey = /etc/asterisk/keys/LE.key

dicko · 2021-02-16 14:09:21 UTC

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)