FreePBX Security Comments and Thoughts

rogerthat · November 4, 2011, 1:31am

Just joined this forum, but I have been using freepbx for a while. I’d like to see if anyone has any comments about my current setup, which is…

Server with public ip running freepbx 2.9 (up-to-date) running centos 5.6.
Has iptables and fail2ban installed and running, allowing only three port ranges 22(gotta ssh), 5060-5100, and 15000-16000. I shutdown httpd, in addition to not allowing port 80. I also have all of my extensions set to type = peer because of the “bug” with fail2ban.

I haven’t had any problems, but I would like to see what you guys think about that setup to lower my chance of anything happening in the future. The only thing I see would be to whitelist ips and block the rest, but this would make it significantly more difficult (phones are behind dynamic ips).

Thanks

-roger

SkykingOH · November 4, 2011, 3:46am

I would change the SSH port, set to nrot allow root login (su to root) and close port 80. You can then use putty ssh tunnel proxy to access web interface.

obelisk · November 4, 2011, 8:03pm

I would change the SIP port. Not sure why people think they need to run SIP service always on port 5060 ?
Also why the port range 5060-5100 when you only need a single port ?
Make sure you only allow UDP as most people who open ports do it for both protocols - UDP and TCP.

SkykingOH · November 4, 2011, 9:04pm

It is interesting that people feel you can’t secure SIP. Every carrier from the largest to the smallest exposes port 5060 and controls fraud.

We are relatively speaking an incredibly small player and in 5 years have only lost $3000 US to fraud.

obelisk · November 4, 2011, 10:29pm

You can secure SIP, you just can’t secure asterisk Do you know of a carrier exposing asterisk to the outside world and processing decent amount of calls ?

SkykingOH · November 4, 2011, 11:05pm

No, they us the session border controllers that you bust my balls about all the time.

You can also use OpenSER in this role. Since I still can’t afford an SBC we are working on a script that looks at registration messages in Asterisk for IAX trunks and then alters the OpenSER routing table to point the DID to the server the PBX registered to.

This would enable crude load balancing with DNS and a group of Asterisk Servers behind OpenSER all running the same config (either even more crudely rsync’d or better Asterisk real time).

I did have an opportunity to look at the Mediatrix SBC at Astricon. It’s not quite as slick as the Acme box but the price point is better.