FreePBX Admin Gui Open SSL Port

mitterhuemer · July 30, 2017, 3:35pm

I have a question about Security of FreePBX.

It means “never ever make the FreePBX Admin Gui Accessible from outside”

Is it possible to secure the SSL Web Admin with additional Secure Credentials with "Basic Auth " and a Fail2BAN Script to give a customer the ability to change some config from anywhere outside without using a vpn?

frankb · July 30, 2017, 4:05pm

Definitely not recommended by anyone who has been doing this for a while. If you do configure it the way you had stated you are asking for nothing but trouble.

VPN or remote into a pc on that local network.

mitterhuemer · July 30, 2017, 4:29pm

My 2nd idea is doíng it with responsive Firewall. So i can tell the customer he can access the gui from everywhere where he has at least 1 Phone connected.

I talk about customers which dont know what a VPN is. I’ll just teach them howto change some time groups and extension names. And the epm. That’s it. The PBX is cloud hosted and the customer only has Dynamic ips.

avayax · July 30, 2017, 5:28pm

If the PBX is behind a NAT firewall with a static public IP, and you access only from known IP addresses that you whitelist on the firewall, I think it’s acceptable to forward ports for https management to the PBX.
But if you don’t whitelist, never forward these ports and expose yourself to brute force attacks, even with fail2ban running.

mitterhuemer · July 30, 2017, 6:45pm

I use the FreePBX Firewall. Its a very good Firewall. Is it possible to add the HTTPS Management into the Responsive Firewall like on RestApps ports etc.?

This should be a way to make it our customers possible to manage the PBX from his office Internet Connection where the phones are.

tonyclewis · July 30, 2017, 11:25pm

No at this time firewall does. It let you control what gets opened when someone registers. It only opens SIP and UCP.

It’s a open source module so you can always modify it.

frankb · July 30, 2017, 11:47pm

No prob with dynamic ip. Use a ddns and add that ddns name to the firewalls white list and then your good to go.

tonyclewis · July 30, 2017, 11:58pm

Well that depends as the firewall cant actually save a FQDN so it has to keep looking it up so of course that means race condition. And that assumes you have access to network to setup some type of DDNS service.

mitterhuemer · July 31, 2017, 7:18am

I updated Iptables.class.php

		// Known Registrations are allowed to access signalling, UCP, Zulu, and Provisioning ports
	$retarr['fpbxknownreg'][] = array("other" => "-m mark --mark 0x1/0x1", "jump" => "ACCEPT");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-ucp");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-zulu");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-restapps");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-restapps_ssl");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-provis");
	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-provis_ssl");

	$retarr['fpbxknownreg'][] = array("jump" => "fpbxsvc-https");

How can i pass the “Attackers” test so that the firewall will start with tampered files? I cannot test it