Quick status update. Rather than load up a new VM on-prem I decided to take the latest image from TheWebMachine Networks for a spin on AWS. So far so good. Enabled and configured the Firewall, locked down the AWS network security rules, finally went with CHAN_PJSIP, changed the SIP ports to something far from the norm, restricted web UI access to only the private LAN, installed and configured FOP2, configured the Kari’s Law E911 SMS/e-mail notifications, configured SNMP monitoring of active call counters, added the call stats to the CDR userfield column, etc.
The only thing that freaked me out was after one of the updates I ran, the reboot came back with fail2ban not running. And I could see all of the SIP port exploit attempts hitting every second (before I changed the SIP port values). I thought my box was already pwn3d! But ran across this helpful post that did the trick --> Fail2ban wont start. That was a quirk but easy enough of a fix.
Plenty to time to manually provision things like they are defined in production. The Bulk Handler can assist in making that easier in some regards.