I have installed FreePBX on a VPS and I am in the process of hardening security of the machine as much as I can before going live.
I am going to have about 10 phones that connects from a static ip and three mobile phones with a dynamic IP.
This is what I did so far:
- Used strong password everywhere
- Activated the FreePBX responsive firewall and added the static IP to the trusted zone
- Used custom ports for the Trunk and for the Extensions (5060 isn’t used anywhere)
- Changed SSH port to a not standard port
- Disallowed password authentication for root to the server and set up SSH key for authentication
Now to see the freepbx web interface a tunnel has to be in place
- For extensions with static IP I have used the “PERMIT: IP address”
6.Changed the “Intrusion Detection” settings to something more restrictive (I believe this is using
I have created /etc/firewall-4.rules and I have added the rules available here:
I changed the SSH port and added my domain name (I created a hard to guess sub-domain from my main one).
I noticed that the responsive firewall rules are allowing registration even using the straight VPS IP address.
If I disable the Responsive firewall and use only the above iptables rules registration is allowed only using the domain name
Ideally, I would like to keep the responsive firewall on and at the same time take advantage of the added security that the custom rules have to offer
For the dynamic IP address clients, I am not sure what to use considering that I have already problem 1 with the responsive firewall…
Fixing Problem 1 is “good enough” as a security method for the dynamic IP extensions?
Or ideally, fixing problem 1 and adding something like “the travellin’ man 3” is more desirable?
Any comment and advice on my configuration and any help will be greatly appreciated