FreeBPX + Digitalocean security - how to harden, which firewall?

So I’m using FreePBX on a droplet on digitalocean, the web interface/ssh everything is public facing becuase that’s how it’s default, so I’m wondering how to secure this. If this was on my home network, it would be behind my main firewall and LAN so it’s only exposed for the ports needed. I’m not that familiar how to deal with this with a cloud install. Do I turn on digitalocean’s firewall to limit ports? Make a SSH tunnel to access the web interface and block everything else?

I read to whitelist hosts for sip trunk and extensions? but my extensions are on dynamic IP and I have softphones on cellphones which don’t have a static IP. I can’t really find any info on securing the server as I don’t think this is right leaving everything open, regardless of the Firewall they have built in and fail2ban.

Any tips or suggestions?

I would just enable the FreePBX Firewall & add my home IP to the trusted zone for admin access. Enable responsive firewall for SIP to allow roaming/dynamic users.

I’m not sure why you feel the need for two firewalls. Sounds like an unnecessary pain.

1 Like

So the default (Internet) rules is safe enough? Then should I put my SIP provider as well and extensions to trusted then make the eth0 (the one that’s public facing) to REJECT ?

The nice thing about DO’s firewall, is that it can be applied a t a low level on all your droplets, I have one with about 30 rules that cover the providers and my sip ports for FreePBX/Asterisk, Given those I get a ‘maytag repairman’ activity pretty well everywhere.

I don’t just use Asterisk, but other DO firewall rules are equally effective for FreeSwitch/FusionPBX/Kamailio droplets.

(be aware that DO hosts are the biggest culprits for SIP perpetrators)

Could you show me what rules you use to allow for freepbx? I’m not sure if I covered all the ports necessary.

I have been running Vultr hosted FreePBX Deployments for a while now. I just whitelist my IP for admin/ssh access, turn on Responsive firewall and have been problem free. I don’t use a Vultr firewall, just FreePBX firewall.

DNS ( 53)
NTP (123)
ICMP

Your ssh port ( not 22)
TCP/5061 for TLS if you know what you are doing
the port your extensions otherwise register to (not 5000-5999 :slight_smile: )
the port you use for provisioning (be inventive :wink: )
your Websites’s port (443) but protect otherwise . . .

The Ip addresses that your Trunking Providers are using if you can’t limit them to ‘not 5000-5999’
XMPP/ZULU/whatever if using them

That’s about it

1 Like

I would recommend you to spend the $25 on the freepbx commercial module SysAdmin Pro like that you have a openvpn server and install openvpn on the smartphones instead of using responsive firewall and for your home you can whitelist a DDNS like NoIP if you don’t have a static at home

Here we talk about a Digital-ocean droplet, each and everyone will never need any DDNS. (because they are NOT dynamic)

I’m referring to his location where his extensions are he mentioned that he has a dynamic IP, besides the mobile phones

Wrong, he says his extensions are dynamic ( big difference) that is why I suggest he registers all his ‘dynimically assigned’ ip’s against a ‘not well known’ port

Yes, I’m referring to my home and business locations where my ISP provisioning is dynamis IP’s and never static. I do have No-IP DDNS to both of them but I guess the only time the connections will go down is if the new IP gets pushed and doesn’t propagate to dns servers yet.

I can get the module, but how does openvpn solve or help me for smartphones? So everytime I want to enable my smartphone SIP (Zoiper etc) I have to connect to my VPN which is on the freepbx?

he can use a random port plus locking it down to a DDNS that is configured on his home router and for the 4G mobile phone openVPN

Of course he can, and it is recommended (by me) but what has that to do with this thread about DO’s firewall?

he is asking how to run it in the cloud I told him my strategy how I deploy it
I just gave him a broader idea of more options for the end goal because he’s probably not familiar of all the options

Excellent ! , but how are you differently running DigitalOcean ‘in the cloud’? (it;s already ‘in the cloud’ and follows all the norms of routing)

personally I think FreePBX has enough built-in options that I don’t need to use a third-party firewall
on-premise or in the cloud

Then you are good to go, thanks for your input though.

1 Like

it’s pretty easy to connect with openvpn they have an Android and iPhone app you just click the on button when you turn on the phone once, or you can pay for sangoma connect which is a Loper user monthly fee and they give you a proprietary freepbx softphone which uses an encrypted connection to your PBX which is safe to expose and you have much more integration with freepbx than a regular softphone, and for the DDNS I have never had issues with NoIP pay them the $20 a year so you don’t need to click on the renew email every month, your Dynamic IP doesn’t change that often

How does the DO or FreePBX firewall protect against a DDoS attack??