I’ve often had problems with FreePBX security, however now after placing my FreePBX behind a hardware firewall at home, I’ve been able to run it pretty securely.
Unfortunately as call demands increase, and my home network always changing (it’s home afterall, right), I’ve come to the conclusion I need a hosted PBX in the cloud (due to external extensions).
I’ve ordered the UK Hosted FreePBX from OPL (authorised FreePBX Partner) and after installing and configuring the responsive firewall, the graph is showing a large number of active calls and the asterisk logs are giving the usual “Rejecting unknown SIP connection from xxx.xxx.xxx.xxx”.
Intrusion detection is enabled, and the responsive firewall is enabled and configured, why am I seeing these Ghost calls from the off - without any trunks or extensions created yet, and how am I able to get FreePBX secure for hosting in the cloud?
Thanks for any pointers!
What zone is your network interface set to?
Good call Bigbear, this doesn’t look right:
The wizard walks you through and doesn’t recognize it’s a hosted setup. You want to set it to Internet.
Responsive firewall isn’t needed unless you have a lot of remote phones. Just set your home wan and sip providers IP ranges under Networks as trusted or other.
Yeah, did that but the attempts are still coming through?
This is a clean fresh install of FreePBX so happy to give someone access over slack or messenger to take a look if it’d help contribute to the community (and my) knowledge!
Do you have guest or anonymous sip connections allowed?
Anonymous was off, Guest is on by default. Literally just turned that off now before coming back here to reply! Thanks.
Do you guys have any specific online server providers that can host FreePBX that you’d recommend for good service and support?
The firewall sometimes doesnt take settings immediately. You can restart from fwconsole or reboot.
Also, as with any firewall, the existing connections will remain in place until the iptables or underlying subsystem is reset.
I would just reload (try a Vultr VM and Twilio or Telnyx sip trunk since you are in the UK). Vultr has the FreePBX ISO and Telnyx has the easiest setup and interface. Leave responsive firewall off add your home WAN and telnyx signal IP range to networks as trusted.
The responsive firewall will allow attempts to register, but the “ghost calls” mean the firewall settings havent taken effect most likely.
I wouldn’t pay more than $5 for a hosted VM. I am not sure if OVH is in the UK but they have a nice $3.50 2GB VM now that works great.
Thanks Bigbear, you’ve really helped solve hours and days of questions in one post!
My active calls are now down to 0. Believe it or not I’ve managed servers for years, and I am relatively technically minded (even with iptables via SSH) however with Asterisk and FreePBX I’ve come to terms with the fact that if you only setup one new PBX server every 4 or 8 years it’s impossible to remember everything you did to secure it!
My next biggest challenge as you’ve rightly pointed out is to choose a provider. I need to open up my system for remote extensions - even mobiles with dynamic IP’s, and even dynamic Wireless networks.
OVH isn’t in the UK (not their cheaper Kimsufi servers anyway, just £50+ /month servers. Interesting you’d only budget $5 for a PBX setup though! The lowest I’ve found is around £25 /month at the moment. i’ll check out Telnyx and Vultr now - I am going to want a good network connection over higher resources so want to make the right choice to save this headache again in a few weeks!
vultr looks amazing, can you believe I was up until 4am last week trying to get FreePBX to build and work manually on a digitalocean instance it just wasn’t working at all.
I had the same trouble for a couple days so I saw your post and instantly guessed what it was. Lol.
Vultr is great. Just a couple clicks and our up. There’s a guy on here that has posted some good guides on mangolassi.
Unfortunately mobile is not there yet with responsive firewall. You could use a border controller. I have not tried the Bria integration model so it may offer better support. When it was last brought up I saw a couple devastated here discuss how that wasn’t resolved in the initial responsive firewall release.
What do you mean? I don’t have any feature requests or bugs open for firewall at the moment.
Using a mobile app with responsive firewall usually ends with the IP getting blocked whenever registration is quickly lost and regained.
Using my Bria on iPhone for example is useless. As I traverse networks it gets blocked. I really havent tried for a few months and I can find and link to a forum discussion where a couple of you guys talked it but never really fully resolved it (the mobile part).
Occasionally a remote teleworker will get blocked, I assume because they de-registered and registered quickly. I have seen guys discuss this on other forums.
Thanks all for your help. I couldn’t reply on the day as I’d reached my ‘maximum posts’ for that day!
All appears secure now, I VPN onto my private network which provides me with the IP I need to securely connect to administer my box.