What are the best practices for securely allowing remote access to FreePBX for both admins and remote extensions—without exposing the system to common VoIP attacks?
I asked this before and was basically told that the responsive firewall is secure, and not to worry about it. Securing FreePBX 17 while allowing access from the open internet
I’ve always used DDNS and whitelisted the URL for each of us. Maybe its not the best way to do it but it (I think it should anyway) only allow us and anywhere there’s a phone registered to hit the admin console.
Many devices support openvpn which may be the best route. There are other ways to VPN also but are typically not supported by phone hardware. With Windows, Linux and Mac. You can use something like wireguard and cloudflare has a solution of as well.
In general, your PBX should be isolated completely from the outside and only poke holes for what you need. The firewall module attempts to make this more flexible by auto whitelisting addresses on registration, etc. This is by no means a perfect process and may not catch everything. A combination of good firewall rules and a really overzealous fail2ban configuration can allow some flexibility. At a minimum I would close off the web UI to the outside world. You can open UCP on a separate port. For the admin interface, you can use reverse SSH as a proxy or again use VPN to access it.
Further, any service can be isolated by using your reverse proxy to only allow connections from an arbitrary ‘name’ that can be publicly certified but only accepted on such ‘seperate port’ before connection is allowed.
For sip REGISTER/ INVITES Fail2ban jails can be written to do other than deny UDP:5060, but only allowing TLS as a transport (on similarly obscure certs as above) will make you think WTF didn’t anybody suggest that before?
I’m assuming you’re referring to the latest vulnerability, and I share your concern.
Your question is not easy to answer: while you can combine certain techniques to obfuscate your presence on the internet, these won’t protect you against application-level vulnerabilities or targeted attacks.
The best option might be to use a WAF - although, as you know, it’s not a perfect solution.
Another alternative might be using mTLS, but this brings a lot of operational costs.
beside of only using VPN, being an admin, I was thinking to buy a dedicated VPN IP, and whitelist this. further, so far we don’t have users that are using their mobile (and changing IP’s) to do calls over the PBX. All the offices have a FIX IP we can whitelist, and further more, all (Yealink) phones are using openvpn to connect to the server.
Hi, I would prefer always use a firewall module and responsive firewall of freepbx, whitelist only known IPs preferable vpn, static office IPs, Also make sure to keep active fail2ban /intrusion detection to ban sip scanners, disable http, ssh access only allow for known ips only it would be more good if you prefer changing default ports.
1 Like
Yes, the bastion host.
Put aside ARP spoofing and
BGP hijacks.
Have you considered only accepting connections to certified dns entities" and dropping connections to just ‘bare ips’ ?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.