So I’m using FreePBX on a droplet on digitalocean, the web interface/ssh everything is public facing becuase that’s how it’s default, so I’m wondering how to secure this. If this was on my home network, it would be behind my main firewall and LAN so it’s only exposed for the ports needed. I’m not that familiar how to deal with this with a cloud install. Do I turn on digitalocean’s firewall to limit ports? Make a SSH tunnel to access the web interface and block everything else?
I read to whitelist hosts for sip trunk and extensions? but my extensions are on dynamic IP and I have softphones on cellphones which don’t have a static IP. I can’t really find any info on securing the server as I don’t think this is right leaving everything open, regardless of the Firewall they have built in and fail2ban.
I would just enable the FreePBX Firewall & add my home IP to the trusted zone for admin access. Enable responsive firewall for SIP to allow roaming/dynamic users.
I’m not sure why you feel the need for two firewalls. Sounds like an unnecessary pain.
So the default (Internet) rules is safe enough? Then should I put my SIP provider as well and extensions to trusted then make the eth0 (the one that’s public facing) to REJECT ?
The nice thing about DO’s firewall, is that it can be applied a t a low level on all your droplets, I have one with about 30 rules that cover the providers and my sip ports for FreePBX/Asterisk, Given those I get a ‘maytag repairman’ activity pretty well everywhere.
I don’t just use Asterisk, but other DO firewall rules are equally effective for FreeSwitch/FusionPBX/Kamailio droplets.
(be aware that DO hosts are the biggest culprits for SIP perpetrators)
I have been running Vultr hosted FreePBX Deployments for a while now. I just whitelist my IP for admin/ssh access, turn on Responsive firewall and have been problem free. I don’t use a Vultr firewall, just FreePBX firewall.
Your ssh port ( not 22)
TCP/5061 for TLS if you know what you are doing
the port your extensions otherwise register to (not 5000-5999 )
the port you use for provisioning (be inventive )
your Websites’s port (443) but protect otherwise . . .
The Ip addresses that your Trunking Providers are using if you can’t limit them to ‘not 5000-5999’
XMPP/ZULU/whatever if using them
I would recommend you to spend the $25 on the freepbx commercial module SysAdmin Pro like that you have a openvpn server and install openvpn on the smartphones instead of using responsive firewall and for your home you can whitelist a DDNS like NoIP if you don’t have a static at home
Wrong, he says his extensions are dynamic ( big difference) that is why I suggest he registers all his ‘dynimically assigned’ ip’s against a ‘not well known’ port
Yes, I’m referring to my home and business locations where my ISP provisioning is dynamis IP’s and never static. I do have No-IP DDNS to both of them but I guess the only time the connections will go down is if the new IP gets pushed and doesn’t propagate to dns servers yet.
I can get the module, but how does openvpn solve or help me for smartphones? So everytime I want to enable my smartphone SIP (Zoiper etc) I have to connect to my VPN which is on the freepbx?
he is asking how to run it in the cloud I told him my strategy how I deploy it
I just gave him a broader idea of more options for the end goal because he’s probably not familiar of all the options
it’s pretty easy to connect with openvpn they have an Android and iPhone app you just click the on button when you turn on the phone once, or you can pay for sangoma connect which is a Loper user monthly fee and they give you a proprietary freepbx softphone which uses an encrypted connection to your PBX which is safe to expose and you have much more integration with freepbx than a regular softphone, and for the DDNS I have never had issues with NoIP pay them the $20 a year so you don’t need to click on the renew email every month, your Dynamic IP doesn’t change that often