Following a conversation with Schmooze support, I’m wondering about our current setup and looking for advice. We run a small FreePBX in an Openstack cloud. This works absolutely fine and allows us to host the phone system using enterprise class hardware and in an environment to match. We had to do a bit of work to get the install done but have been rather pleased with our efforts. We had an issue with a Schmooze license, involving a MAC address change when the instance was recreated - hence our need to contact support.
The support team were excellent but added that “but it isn’t something I would do as it is too far out of the box and simply put isn’t something we would ever recommend”
So I’m left wondering about why it’s a bad idea? We get to run the PBX on better quality h/w than we would other wise do. Am I setting myself up for a fall over something I haven’t thought of. The alternative is to use dedicated hardware and host it in our racks with the other servers but that sounds like an expensive option unless there’s a good reason.
I’m going to be running something very similar actually using VPS cloud deployment of FreePBX. I believe the primary concern here is security since it is not behind a NAT firewall in this method of deployment. When you do lock it down and allow the recommended ports… the system doesn’t seem to fully function. I’m currently investigating why when I allow TCP 5060, and UDP 10000-20000… why outgoing calls have no audio AND also what ports the google voice trunk addon uses as that disconnects as well when firewall rules are applied.
But by locking everything down with iptables, CSF, and mod security I’d say it’s pretty secure. I’m also only going to allow port 80 administration from certain approved IP addresses as well.
Why allow port 80? At least do https. I always suggest using one of the new SSL web proxies so you can hide the whole topology.
Also, have you looked at the completely pre-configured PBXtended reseller system? We tried rolling our own for years and once we finally decided to pay our time was freed up to take care of our customers and generate new business.
port 80 was what FreePBX was already setup as per the shell script I ran from stock CentOS so I kept it. However, what I’ve implemented in the firewall so far is that yes 80 is open, but only to a list of IPs from my OpenVPN servers. Also I’ve made .htaccess files that do the same in each web directory in /var/www/html. The web administration is pretty locked down. I’ve also changed the name of the admin account.
As soon as I can figure out all the ports that are needed completely I can control what is allowed and what is not. Ideally it is quite simple. I only am going to allow communication through the VPN tunnel IPs, and to the SIP provider on pretty much all ports, and block everything else. ( other than DNS )
I considered reselling, but I’m a bit of a control freak and like everything done the way I want. I’ll keep it simple as much as possible using my own base image of a fully working install with everything done the way I want so I can deploy quickly. I’m not going to be hosting the VPSes myself though, which I could. But that’s just too much work and responsibility…
We do host our own as we have been an ISP for years.
PBXtended runs on your own servers so that might not be the right solution for you.
I do offer FreePBX centric hosting and are a Schmmoze partner. I would like to chat with you and see if there are any opportunities to work together. Drop me a PM please so we can chat.
Good luck