Securing UCP


#1

We are using Sipstation for texting. A few users access the UCP for texting from their mobile phone.

I need to open a port for them to access the UCP. However, I feel uncomfortable about that. I believe that this is the same access for the admin interface, but I do not want to make this open!

Using VPN from their mobile phone is not an option.

Is there anyway to make this a bit more secure?


(Itzik) #2

By default, UCP is running on port 81, so you can open that… or change it to whichever port you want.


#3

Is that secure?


(Itzik) #4

See my edit. I was referring to that statement.

The question really is. What is your concern?

If a hacker gets into UCP they can:

  1. If you have followme or CFWD, place calls through your system, and you’ll only be altered once you receive your phone bill.
  2. If you have call recording, they can listen/download to sensitive parts of call information.
  3. Gather some other information from UCP.

However, Sangoma is fully working to secure FreePBX and it’s not really a “hackable thing”

I would worry about UCP being public and someone finding out a UCP password, rather than a flow in the code.
I believe that intrusion prevention will also block failed UCP logins after the amount of bas attempts configured.
With that being said I would love to see 2FA for UCP.

So if I would need to open UCP, I would allow access from (a) specific countries(ry) only, and I would be careful which user permission each account has, and obviously would require password changes every here and there. Lastly, make sure that fail2ban is properly configured.


#5

Thank you! That makes sense.

How do you do that?


#6

I tested. Fail2ban works on the UCP login. However, it says (SIP) after the blocked IP in “IP’s that are currently banned.”

That sounds incorrect.


(Itzik) #7

On your router/firewall. Not sure which brand and model you have. Look it up online how to.