New Install: Security Hardening


(Fabio) #1

Hello,

I have installed FreePBX on a VPS and I am in the process of hardening security of the machine as much as I can before going live.

I am going to have about 10 phones that connects from a static ip and three mobile phones with a dynamic IP.

This is what I did so far:

  1. Used strong password everywhere
  2. Activated the FreePBX responsive firewall and added the static IP to the trusted zone
  3. Used custom ports for the Trunk and for the Extensions (5060 isn’t used anywhere)
  4. Changed SSH port to a not standard port
  5. Disallowed password authentication for root to the server and set up SSH key for authentication
    Now to see the freepbx web interface a tunnel has to be in place
  6. For extensions with static IP I have used the “PERMIT: IP address”
    6.Changed the “Intrusion Detection” settings to something more restrictive (I believe this is using
    fail2ban)

Problem 1:

I have created /etc/firewall-4.rules and I have added the rules available here:

I changed the SSH port and added my domain name (I created a hard to guess sub-domain from my main one).
I noticed that the responsive firewall rules are allowing registration even using the straight VPS IP address.

If I disable the Responsive firewall and use only the above iptables rules registration is allowed only using the domain name

Ideally, I would like to keep the responsive firewall on and at the same time take advantage of the added security that the custom rules have to offer

Problem 2:

For the dynamic IP address clients, I am not sure what to use considering that I have already problem 1 with the responsive firewall…

Fixing Problem 1 is “good enough” as a security method for the dynamic IP extensions?

Or ideally, fixing problem 1 and adding something like “the travellin’ man 3” is more desirable?

Any comment and advice on my configuration and any help will be greatly appreciated

Thank you

Fab


(Tony Lewis - https://bit.ly/2SbDAyc) #2

The whole point of responsive is you leave your SIP ports opened. Otherwise their is no point to it. Seriously the ability for someone to guess your password in the fee attempts responsive allows would take 100s of years. Have you read the wiki on how responsive works.


(Fabio) #3

Hello Tony,

Thank you for your answer.

Yes I did read the wiki but at the same time I read how many pbx have been hacked in the last few years so I want to make sure my system is safe before going live.

The wiki doesn’t go that much into the details so I started looking somewhere else.

That said, do you think all the rules I have into firewall-4.rules are unnecessary or detrimental?

Do you think all the other steps I took are sufficient even for the dynamic client or do you recommend additional steps?

Thank you

Fab


(Tony Lewis - https://bit.ly/2SbDAyc) #4

We have thousands of hosted PBXs that have nothing more than responsive for SIP and never been hacked.


(Fabio) #5

Thank you Tony


(Tony Lewis - https://bit.ly/2SbDAyc) #6

The simple crux of responsive for SIP is it onky allows 10 total packets which is 3 registration attempts in a 60 sec period until the device registers with asterisk than the IP is whitelisted dynamically once it registers.

If we drop 100 packets we blacklist the IP in firewall. So the math shows it would be impossible for a device to ever guess a password when using random 32 digit passwords like default in FreePBX.


(system) closed #7

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.