Encryption for manager.conf

LTelephony · February 15, 2021, 3:51pm

Hello together,

i want to setup a PBX which is reachable from the internet.
I already setup everything with IDS and TLS/SRTP, working fine!

But now it comes to TAPI or manager.conf access. I read that i can enable encryption for that here

But how do I do that? I think i have to edit the manager.conf file over console/ssh access right?
But what happens when i install some updates, does the manager.conf gets overwritten than?

PitzKey · February 16, 2021, 10:00am

There isn’t a manager custom file?

LTelephony · February 16, 2021, 11:38am

It is
But can I modify the [general] part there?

PitzKey · February 16, 2021, 11:56am

In the custom file, put something like:

[general](+)
your_setting = true

But I am not sure if enabling encryption under the general settings might break FreePBX

dicko · February 16, 2021, 1:18pm

That first link is from 2008, tls is the new ssl and from

github.com

asterisk/asterisk/blob/master/configs/samples/manager.conf.sample

;
; AMI - The Asterisk Manager Interface
;
; Third party application call management support and PBX event supervision
;
; Use the "manager show commands" at the CLI to list available manager commands
; and their authorization levels.
;
; "manager show command <command>" will show a help text.
;
; ---------------------------- SECURITY NOTE -------------------------------
; Note that you should not enable the AMI on a public IP address. If needed,
; block this TCP port with iptables (or another FW software) and reach it
; with IPsec, SSH, or SSL vpn tunnel.  You can also make the manager
; interface available over http/https if Asterisk's http server is enabled in
; http.conf and if both "enabled" and "webenabled" are set to yes in
; this file.  Both default to no.  httptimeout provides the maximum
; timeout in seconds before a web based session is discarded.  The
; default is 60 seconds.
;

This file has been truncated. show original

we see secure connections by default would be ovrr port 5039, FreePBX only uses 127.0.0.1:5038

IMHO anyone that allows port 5038 through your firewall is exposing a long standing but ubiquitous security risk with FreePBX

LTelephony · February 16, 2021, 1:34pm

Yeah saw that thanks

Soo…

When i manually edit the manager.conf with
tlsenable = yes
tlsbindport = 5039

Its working over tls

Will try it now with [general] (+)

LTelephony · February 16, 2021, 1:37pm

Working
Thanks

LTelephony · February 16, 2021, 1:39pm

Looks like that now

[general] (+)
tlsenable = yes
tlsbindport = 5039
tlsbindaddr = 0.0.0.0
tlscertfile = /etc/asterisk/keys/LE.pem
tlsprivatekey = /etc/asterisk/keys/LE.key

system · June 3, 2021, 11:04pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.