This is a very productive thread, in terms of looking at the issue from all sides. One thing I might chime in with. Based on past experiences trying to balance — security versus convenience. Each aspect is inversely proportional to one another.
Whenever I have an internal server that I need to make public, I carefully look at the use case before publishing it. If it only needs to be accessed by certain networks, I only allow those IP subnets for inbound. In this FreePBX scenario, what would be the suggested model?
I’m assuming open up TCP Port 80 inbound just for those work-related IP subnets that would need to access it. Then open up just the inbound TCP/UDP port ranges that connect from the SIP trunking provider’s IP subnet. As well as from work-related networks that might have SIP devices.
That should suffice, right? As long as you have a good firewall/router that serves it purpose, then doing this should help workaround any potential Apache flaws that exist, correct?
Also side note to the OP, I took a peek at your profile on here and see you appear to have been hit with a possible hack a couple years back --> AsteriskNOW Hacked no sign of hacker. Regardless of the exploit vector that will hopefully be discovered and patched in the future, it would definitely point to a need to proactively look at locking things down. One hit should be enough! 