Securing UCP

We are using Sipstation for texting. A few users access the UCP for texting from their mobile phone.

I need to open a port for them to access the UCP. However, I feel uncomfortable about that. I believe that this is the same access for the admin interface, but I do not want to make this open!

Using VPN from their mobile phone is not an option.

Is there anyway to make this a bit more secure?

By default, UCP is running on port 81, so you can open that… or change it to whichever port you want.

Is that secure?

See my edit. I was referring to that statement.

The question really is. What is your concern?

If a hacker gets into UCP they can:

  1. If you have followme or CFWD, place calls through your system, and you’ll only be altered once you receive your phone bill.
  2. If you have call recording, they can listen/download to sensitive parts of call information.
  3. Gather some other information from UCP.

However, Sangoma is fully working to secure FreePBX and it’s not really a “hackable thing”

I would worry about UCP being public and someone finding out a UCP password, rather than a flow in the code.
I believe that intrusion prevention will also block failed UCP logins after the amount of bas attempts configured.
With that being said I would love to see 2FA for UCP.

So if I would need to open UCP, I would allow access from (a) specific countries(ry) only, and I would be careful which user permission each account has, and obviously would require password changes every here and there. Lastly, make sure that fail2ban is properly configured.

Thank you! That makes sense.

How do you do that?

I tested. Fail2ban works on the UCP login. However, it says (SIP) after the blocked IP in “IP’s that are currently banned.”

That sounds incorrect.

On your router/firewall. Not sure which brand and model you have. Look it up online how to.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.