By any chance, is there a way to make it so the Endpoint Manager’s webserver for phone provisioning can have a username/password? Not the programming within Endpoint Manager itself, but when a phone reaches out to urlorip:83/xxxxxx.xml, that it be prompted for a username/pass (our phones say they support this).
It’s a slight bump to security (though I understand, not much), but it would help prevent people from trying to gleen credentials from stored files. Plus, in theory, multiple failed login attempts would be identified by either the firewall or fail2ban and restrict that IP for what I’ve got set in the duration.
Just hoping to increase the security a bit regarding the provisioning files.
FTP does this already so you could use FTP for this. At this time FreePBX does not support having a username and password for HTTP for the provisioning port.
There is no security protocol associated with TFTP or BOOTP. If the remote system can access the data store, it can pull any file it has write access to.
Having something doing intrusion detection such as fail2ban is the way to go short of not exposing tftp to the public internet. Bruteforcing the mac addresses even if they know your phone brand will take some effort. If you have something like fail2ban setup you can stop any brute force attackers before they do anything meaningful.
So, that is doable, but I would definitely prefer if it were web-based.