FreePBX | Register | Issues | Wiki | Portal | Support

How do you protect freepbx from malicious activities?

freepbx
configuration
Tags: #<Tag:0x00007fb905ce81a8> #<Tag:0x00007fb905ceff98>

#1

I was told that hackers target freepbx systems, and to take caution. So I set up a system and left it on a DMZ for 8 hours. When I logged in to SSH after 8 hours, I got a message saying that there were 85000 failed login attempts.

So how do you guys protect your internet connected freepbx systems?


(ADTopkek) #2

I can confirm they target Asterisk systems and how you secure it is by locking down ports and requiring provisioning authentication. I’d suggest over securing everything even if it adds a little difficulty.

The new firewall, that comes with the distro, is badly documented and takes a while to learn all the quirks but it works very well with FreePBX, is quite powerful, and is easy to adjust on the fly (Once you know what to do). I’ve been getting it working to its full extent and it along with sysadmin keeps the system very secure.


#3

Any tips you can provide from your experience with it?


(TheJames) #4

Unplug it.

Realistically there is no absolute way to protect any device that is powered on. Just follow basic common sense security

Firewall with a whitelist of people with external access OR no external access
Use secure passwords for sip accounts and other items
Don’t allow anonymous callers
KEEP YOUR SYSTEM UP TO DATE

Whenever there is a exploit released for Asterisk or FreePBX they usually go through a responsible disclosure process. This means we get time to fix the exploit before it is released in to the wild. If you stay up to date you will be safe from most public exploits.


#5

+1 for jfinstrom’s answer.

VoIP systems are a very big target worldwide.

-Make sure all your passwords are strong, like the root account for SSH, phone registration passwords, provisioning, FreePBX admin account, FreePBX user accounts, voicemail passwords, admin passwords for your physical phones, PBX authentication to your VoIP provider, admin account for your VoIP provider…
-If you can, don’t allow ANY port forwarding to your PBX. I believe an IAX2 trunk is better at this than a SIP trunk. If you must allow incoming connections, try using IP whitelisting or requiring a VPN.
-my VoIP provider, voip.ms, lets me configure LOTS of things related to security. I can block calls to/from countries, set time limits, pre-pay an account balance, get email notifications about dozens of things, whitelist an IP for my FreePBX, etc. Fully investigate every option you can find on your VoIP provider’s website.


(Dave Burgess) #6

Even with the elided caveat, the first step in securing the system is to use the firewall that’s built into the system.