Hi
To protect my FreePBX server, I am planning to restrict access to standard ports from my static IP only.
- What is the correct way to restrict http, https, ssh access to select IPs only?
- Are there any disadvantages to the above setting?
Thanks
The ‘correct’ way is generally to use a ‘router’ between the services you wish to protect and the devices you want to protect them from. Questions remain as to where and what would that ‘router’ be ?
I would argue a rock solid separate hardware device such as a cisco or a pfsense or a mikrotik as a first choice, but as iptables is running on your pbx, many are satisfied with ‘self reliance’ on the integrity of the pbx host itself. FreePBX as a commercial distro running on the bespoke Sangoma OS is a common choice but be aware that there have been several failures of that over the years.
Exposing any service to access by it’s IP address is not the most secure way of doing it, running everything through TLS means that only someone that knows the ‘name’ of your service has access, this means maintaing up to date certificates for each of your services, now these could all be under the same domain name but without extra precautions, it is possible to derive that domain name simply by querying the IP address in front of it.
So , no "correct’ way but each possible ‘way’ will have disadvantages ranging from inconvenience to cost to needing to TL/DR documentaion.
JM2CWAE
Thanks @dicko – As always, a very comprehensive & informative reply.
My FreePBX is hosted on a Shared VPS, so h/w is not an option for me.
If I fire IPTable rules via the ssh terminal, I fear it will be over written by FreePBX and I could not find any option in FreePBX GUI to create custom rule.
Any thought?
Thanks
FreePBX per se will not overwrite iptables rules, The firewall module bundled with the ‘distro’ might well do that but I don’t/can’t use it. Personally and after all these years I still stand by ‘csf’
https://configserver.com/configserver-security-and-firewall/
and fail2ban
https://fail2ban.org/wiki/index.php/Downloads
for bundled systems as they are both highly configurable and they cooperate very well together with your choice of which set of chains go first , Both need quite some R’ing of TFM’s though to get the most out of them.
Of course all the encouragements move to TLS using seperate certificates for every exposed service (SIP,provisioning, UCP, admin, etc.) and minimizing exposure to the obvious service:port pairs will further bump you down the preferred target lists the bad guys probably share around.
Thanks again. I’ll check CSF.
fail2ban > 0.8 will also behoove.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.