Firewall Zones & Remote Access

I have a PBXact at my office. It is local on the network with everything configured appropriately. I would like to be able to access the GUI from my home.

As I understand it, one option is to change the SSH port to something random on the PBX, then set my router’s firewall at the office to allow only traffic from my home public IP on that port. Then, in the PBX firewall, I would need to allow SSH traffic on the Internet Zone. Typically, that would be unwise because you are exposing yourself to attacks via SSH. However, am I correct in understanding that since I am blocking all traffic at my router, it should be secure since I am only allowing traffic from my home IP? With this setup, I would be able to SSH into my PBX and, at the same time, create a tunnel so that I can access the GUI.

Another option, I believe, is to add my home public IP to the trusted, local or other firewall zone and then allow access to the GUI in whichever of those zones I choose? Then, of course, I would still block all traffic at the firewall level except for my home public IP. Would that still be secure? And if that is a viable option, which zone would be advisable?

Do you access other office systems from your home? If so, you are probably using a VPN; allowing the VPN tunnel address range to access SSH and GUI is pretty safe and simple.

Or, you could run OpenVPN on the PBX, which would allow access for your home phone(s) and provisioning in addition to SSH and GUI access.

If you are only concerned about attacks from automated tools that scan every IPv4 address on the internet looking for vulnerabilities, opening access to just your home IP is pretty safe. It doesn’t make much difference whether you do it in the hardware firewall or the FreePBX firewall, you might do both for security in case a mistake was made in one. You should also set up SSH to require an RSA key for authentication (and perhaps require a password as well).

However, if e.g. a highly skilled or well heeled competitor wanted to attack your system specifically, they might somehow break into your home network and leverage that to gain access to the PBX.

An attacker who knows you and knows the system e.g. a disgruntled employee or former employee, would likely have the advantage in this kind of attack.

1 Like

Thank you for the information. That helps. In the setup I described, I was thinking the biggest vulnerability would be if someone accessed my home network to then gain access to the remote offices. Otherwise, it would be pretty secure. If I understand your reply, you are confirming that.

I have three PBXact systems in three of my remote offices. I don’t have any endpoints outside of the each local network. So I am not trying to run a phone from my house. I haven’t connected via a VPN.

I want access to the GUI and SSH to each machine for running updates and for making config changes, etc.

Currently, I use TeamViewer to access a computer on the local network and then the PBX from there.

TeamViewer is IMO very safe (though not cheap), but your new setup will of course be more convenient.

I wouldn’t even think of managing a PBX without an extension for testing changes or replicating problems reported by users. I suppose you could get by with a softphone on the remote machine running TeamViewer.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.