My previous post [How-to] Install Freepbx distro (with commercial modules) on Google (cloud) Compute Engine used CloudEndure to import VM image which is now deprecated. Migrate to Virtual Machines documentation | Google Cloud
I believe this method is easier and consider VM security / privacy during installation.
- Download FreePBX from https://www.freepbx.org/downloads/freepbx-distro/ 75
- Download and install VirtualBox https://www.virtualbox.org/wiki/Downloads 43
- Create new virtual Machine:
- Name:
- Type: Linux
- Version: Other Linux (64 bit)
- Set memory
- Create virtual hard drive now
- VHD
- Fixed size
- Set the size (I recommend at least 30 G)
- Select the VM, go to Setting >> Network >> Enable Network Adaptor >> Attach to NAT (not sure if it makes a difference but now PJSIP extensions seems to work)
- Select (attach) the iso and click start
- Set the (default) configuration, (or Enter, Enter, Enter)
- Wait for the installation to finish (also may set the root password while the installation is running)
- Reboot. Shutdown, remove the iso.
- While VM is selected and Powered Off go to setting > Storage and release the iso
- Go to console.cloud.google.com and create your first Project.
- Go to Storage. Create Bucket and upload the VirtualBox VHD. Will take up to few hours (in the meantime)
- Go to Compute Engine and create a VM instance of your choice (will be deleted) and select both checkboxes Allow HTTP traffic and Allow HTTPS traffic.
- Delete the just created VM instance.
- Go to VPC network >> Firewall rules. Restrict all rules with 0.0.0.0/0 to your trusted IPs by clicking on the rule then clicking Edit. Change Source IP ranges to your trusted IPs
- Create new Firewall Rule (sip). Under Target tags, type a tag name, e.g. sip. Under Specified protocols and ports enter “udp:5060; udp:5160; udp:10000-20000” (without the quotes and assuming default FreePBX settings). Under Source IP ranges, enter 0.0.0.0/0 (or a restricted range: your site(s), phones and SIP provider), then click Save.
- Once upload is done, go to Images, Create an Image
- Name
- Source: Virtual disk (VMDK,VHD)
- Cloud Storage file: (select the uploaded VHD)
- Operating system on virtual disk: CentOS 7
- Install guest packages: Checked
- Location: Select the zone best for your need
- Create (may take 1-2 hours)
- Will get an error (OK). Go to Disks if things worked fine you will see one there. From the three dots create an instance.
- By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To log in from your prefered terminal of choice will need either allow root or create sudo user.
- Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.
- Go to GCP VM instance and click on the SSH
- useradd example_user
- passwd example_user
- usermod -aG wheel example_user
- sudo passwd root
- If you want root login edit /etc/ssh/sshd_config to allow root login
- Make sure to restrict SSH to your trusted IPs
- Test if root / example_user are working.
- Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.
- Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.
- Create a snapshot
- Go to your assigned external IP and start configuring your FreePBX
Additionally I recommend:
- Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).
- Whitelist your IPs in Fail2ban, and Firewall.
- Set email notification for when updates available.
- If you have HTTPS setup, consider HTTP >> HTTPS redirect:
nano /etc/httpd/conf.d/redirect-443.conf
<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>
- Monitoring access to your server. [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server
- Logwatch (work best on new install).
- Tripwire (work best on new install).
- If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.
- Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).
- Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.
- Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.
- If you are not planning to make international calls >> create restricted route see Sangoma Documentation
Backup and Restore:
- Backup can be best done through Snapshots and can be done manually or on scheduled basis.
- In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.
-
- Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.
-
- After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.
-
- Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.
My workflow is as follow: When I restricted GCP to my trusted IP with the Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN) I did not have issues people accessing my server. From time to time, I may need to allow 0.0.0.0/0. That is when I see the access script working. I will disallow 0.0.0.0/0, block the suspicious IP inside FreePBX, delete the suspicious IP from the logs to keep my logs ready to record any suspicious IP (including the blocked ones)
Logwatch is a neat way to look at when and who (user/IP) entered the server. I think will also tell if a USB connected to the server. Tripwire will tell me if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.
Enjoy. Do not forget to claim your $300 GCP credits.