Hey All,
@wmoon wrote a quick blog post on a few general best practices and tips for security in FreePBX. Feel free to check it out and discuss at https://www.freepbx.org/a-secure-freepbx-is-a-happy-freepbx/
Best wishes,
Matthew Fredrickson
I would also suggest a few more:-
- ssh access by password for any user should be disabled and only be allowed by ssh keys (on !22 for quietness)
- The âadminâ user in the gui should be deleted and another few more with less obvious generated but more identifiable names and access
- Consider the ease of not using UDP/5060, agree or not 99.99% of all attacks are directed there. (few go to TCP/* even less will get to TLS/5061)
- Enable fail2ban jails for other than asterisk (noscript comes to mind to catch phpadmin, webmin etc.)
- Add a rootkit detector like lynis
- logwatch will help to preadvise other âproblemsâ like disk-space and un-imagined ports opened
- rewrite http to https only for legitimate URIâs, otherwise send them to the bit-bucket
- Always be wary of connections to your IP, only ultimately accept connections to your domain name for VOIP and HTTPS/HTTP
- make sure TCP/5038 is well protected (you probably only need to bind to 127.0.0.0/8)
- audit mysql and add a root password consider the âmysql_secure_installationâ script
3 Likes
How does one block everything with the firewall, as suggested in your blog. I copiously use the blacklist.
You are doing something wrong, properly configured the firewall is deny by default. Check out this vid: Open Source Pro Tips #2 - Firewall Basics
I donât understand. I see lots of attempts from IP address in my log file, I see lots of times where fail2ban detects and blocks people trying to hack the system. I add them to the blacklist and the problem goes away. They never actually get through to my system (as far as I know). The other day, there was a bug in the firewall that caused it to drop, and let me tell you, fail2ban had a busy 2 days. btw, I donât think I have anything set up incorrectly, but there are always better ways of doing things.
(one might quibble that the âfirewallâ is open source, It wonât install on anything without âsysadminâ and sysadmin is closed source and at this point in time only available on some hardware and one OSâ , If youâve gota Raspberry or not the sangoma version of redhat, your kinda SOOL, If there is a way to install it outside â the distroâ I would try it again 
)
Left one thing out:
@GeekBoy , Thatâs a biggie, donât even think of using that without putting it in an âipset.â
They do have a guide on using it, as well as scripts.
Several soft Firewallâs have it seamlessly âembeddedâ as an ipset option (at about 92k donât even think of using iptables) .
(but off the reservation here though 
)
Having spent some time with the module fixing the LetsEncrypt issues, it could be stripped of sysadmin dependencies in an afternoon and likely made Debian compatible in another(and then a weekâs testing trying to break it). The issue is how to do it âsecurelyâ within the current framework.
From a âSangoma corporateâ perspective, I can see them wanting at least the lip service Zend Guard/sysadmin provides as a security claim.
The biggest issue with firewall module architecture/code/error handling is if something goes wrong itâs likely to crap out completely and leave the system wide open, just as it did with the LetsEncrypt errors(or I guess technically still does until edge is pushed to release).
2 Likes
In security features, I suggest the capability to block/enable by GeoIP. My scenario: I only need connections from US and CR. Filtering to only users from these 2 countries minimizes enormously the attack surface. I recommend to look at the UI for this in Issabel PBX.
This is big one if your PBX is in the cloud or you have a lot of remote employees (COVID, anyone?). We recommend using 65### ports across the board for SIP/PJSIP. A LOT of home ISPs block the normal 5### SIP port ranges, so this squashes two concerns in one. (AT&T, for example, can legit kiss my a** with their port blocks, because they also intercept AND respond to DNS 1.1.1.1 and other shady BS 
)
Hi !
I use Fail2ban on Freepbx computer paired with pfBlockerNG-devel on a pfsense APU (as firewall).
Fail2ban on the asterisk machine collects IP banned and keep them for 2 hours so CPU dedicated for log management is not too heavy.
An hourly cron get the new IPs collected from the past hour and add them to a dedicated blacklist in the pfBlockerNG-devel files on the pfsense.
pfBlockerNG-devel is also set to use GeoIP filters and DNSLB lists.
Sometimes, I manually check IP banned entries and found that some foreign networks do so many try all the time to enter my system so I created a second blacklist file where I put entire networks⌠Something like
5.62.40.0/23 # (03/09/2019) (5.62.40.0 - 5.62.41.255) Privax LTD AVAST cloud London
5.183.92.0/22 # (19/02/2020) (5.183.92.0 - 5.183.93.255) NetProtect-Germany-Frankfurt - Dallas United States
23.94.0.0/15 # (20/10/2019) (23.94.0.0 - 23.95.255.255) CC-16 ColoCrossing Buffalo NY US
23.249.160.0/20 # (20/10/2019) (23.249.160.0 - 23.249.175.255) NET3-INC Buffalo NY US
Thoses settings put all the charge to the pfsense device and protect my Freepbx system since few years now despite the fact TCP/5060 is opened due to the fact I use to remotely connect with my mobile phone using VoIP.
Laurent.
Been there done that, that DOES NOT WORK in some environments. In my case, running port forwarding of SIP from the outside to a machine on the inside through a Cisco enterprise router. Calls simply were not reliable unless port 5060 was used. Even when following the suggested port forward examples for SIP that various Cisco fanboys swore worked for them on Cisco forums.
nonstandard ports have their uses but you should ALWAYS get it running with a vanilla a config as possible. Start with 5060 and everything else open. Get it working. Then start locking it down one item at a time, testing in between each item.
AND LASTLY AND MOST IMPORTANT THAT YOU FORGOT - BACKUP BACKUP BACKUP AND DOCUMENT DOCUMENT DOCUMENT AS YOU GO.
1 Like
Port forwarding though Ciscoâs IOS works reliably unless you have any ApplicationLevelGateway enabled in the way (Cisco/DPI) . At least in my own experience (more than a few)
If you do have such a thing, disable the bugger :-
-
Log onto the routerâs terminal (command line interface) via telnet, SSH or serial console
-
enable
-
configure terminal
-
no ip nat service sip udp port 5060
For TCP also run no ip nat service sip tcp port 5060
But I am not really suggesting âforwardingâ 5060, I am suggesting just NOT USING UDP/5060, forward the âport of your choiceâ through your router be that Cisco,Ubiquiti,netgear,tplink whatever if NATâed. . .
( I did not forget backups because I consider the lack of that a big DUH!!)
That was the first thing I tried. In fact that is the general advice to port forward sip on a non-port 5060 is disable that. It does not work. At least not on IOS 12.4.25g with my version of FreePBX and with various softphones I tested. Also TCP did not work reliably no matter what.
I am not saying Cisco never fixed this. But Cisco is very well known for having bugs languish, unrepaired, for many years. And it is also important to understand that Ciscoâs IOS code varies from device to device. IOS 12.4.25 doesnât work exactly the same on all devices. Back âin the dayâ when it was a lot easier to get lists of bugs of various releases it was common for bugs to be both version and hardware-specific. I am quite sure you have got it working on a non-standard port. Iâm also quite sure if you encountered the identical hardware as I am using you would not get it working on a non-standard port with IOS 12.4
We have an old saying in the go-fast auto hobby arena. Tune from the baseline. That is, start with stock and tune it first then dyno, before bolting on any go-fast parts. You would be amazed at how much garbage is sold to make cars go-fast that makes them go slow. Like fart cans.
Before tinkering for âsecurityâ make sure itâs working perfectly with the defaults. That way when you do something off your or anyone elseâs âlistâ and things break, you know where the problem is. Trying to start out with all the security enabled will shoot yourself in the foot. Start out stock then once itâs working add in the stuff. Not the other way around.
I would take that to the Cisco forums more forcefully, I personally do not have any of your problems over many Cisco routers.
Port forwarding any port or range on any protocol just works for me. (maybe I just got âluckyâ hardware devices )
(Best way to make your models go faster is to add a âgo faster stripeâ to your engine hood, It worked for ecurie escosse in the '50âs)
1 Like
I would love to see some kind of microservice API for controlling the firewall rules and fail2ban black/white lists. To make it secure, I believe it can be locked down to only perform a specific segment of commands and bind to localhost so it wouldnât be publicly facing.