Security- a simple countermeasure

Recently we had some PBX systems attacked and I came up with the following as a countermeasure. I feel it is so simple and effective there is no reason to not include it in the core code.


post modified by p_lindheimer, replaced link with content so readers could better follow what was being discussed

post modified by markosjal, replaced original link and removed content copied by p_lindheimer as I did/do not authorize the copying of information from Had I been asked I might have allowed it!

Most people don’t allow access to the GUI of the server from the Public Internet.

Hmm thats funny there are many that sell hosted systems that are only accessible over the public internet. Have also seen many posts of people being hacked and the web GUI is usually how that is done.

You must be one of those “experts” that knows all

For the most part the hosted PBX providers fall into two categories:

1 - They offer Distro images as part of their overall portfolio of images but have no real knowledge

2 - Low budget hosted PBX providers rent space in a data center and start selling service with no thought about security.

The true solutions providers are few and far between.

You only need to look at all of the people who have had attacks that have come through the web interface. This is one other viable tool in the toolbox and highly effective I might add.

You can try to negate it all you want however it is valid and works!

I dont understand why some people in forums are so negative when something is posted. have you really nothing better to do? Accept it for what it is. It may not be for you, but5 no need to try to invalidate it.

It’s not meant to be negative. It’s not a solution and it gives a false sense of security.

It also communicates that the system is designed to be on the public Internet. It is not, and no other phone system I know of is.

I have hosted Elartix, freepbx and trixbox systems for many years. In that time alone, (not counting my extensive knowledge of SIP tracing, and diagnostics) learned a lot about it . VOIP has been a specialty of mine since 2000 while many here were still in school. So yes your statement IS an insult and negative. Please move on to another thread and increase your post count elsewhere. It seems that is all you really do anyway. Why post worthless opinions when someone tries to help others?

Just because you may do things differently does not mean your way is more correct!

I second this!!! All I ever see is negativity and how he likes to belittle users. Try to offer positive comments.

I am not going to engage in this again, it’s not an opinion, it is certainly not personal nor is it about experience.

Plain and simple.

1 - The system is not designed to be exposed to the Internet. This has been publicly stated by the project leads and the developers.

2 - This is not some “quirk” of mine or FreePBX. You certainly can’t put a Cisco CUCM, an Avaya Open Office or a Mitel server on the Internet.

I think that debating best practices is hardly a waste of time and not meant to insult the posters but to get them to think. I don’t understand the drama.

Two more facts that might change your perspective. Don’t try the age thing, I am 50 this year and have over 30 years in telecom and IT. Second, I don’t understand the post count statement. FreePBX does not keep track of posts and I don’t have any type of advertising in my posts.

There are releases such as Elastix that contradict that. I rest my case. A siilar post there was received quite differently than here in the frack you in the behind freepbx forums

How are you helping users succeed by making negative comments? Sit back and take a look at all the possibilities of this software. That’s why it is open source. To allow users to input ideas and modifications.

It’s amazing how these discussions always revolve around personalities instead of principals.

If the Elastix distribution offers you something that fits your needs then that is the solution for you. I can only share my experience with you.

The project is Open Source and we would love to have volunteer programmers. The reality is the programmers are on someones payroll so the work is going to reflect their needs. The fact that the work product is shared is one of the things that makes this project special.

If a group stepped up to form a security team and started commiting code that would certainly be a great benefit. No matter how secure Instill would not recommend running a PBX on the Internet.

You can’t fit a round peg into a square hole. FreePBX is not meant to be a service provider platform.

Your code will never be looked at in a forum post. If you want it reviewed submit a trac ticket and join our developer community.


Man are you STILL spouting out the mouth? You did this kind of thing on one of my last thread!

Give it a rest!

Funny how there is nobody here supporting your case and I have had HUNDREDS of hits on the post on my site in several hours of making a few posts about this.

GET IT MAN not everyone wants to hear your worthless posts. not only this one, but look at this thread.

What thread, I don’t see a link.

You keep going back to personalities, I won’t continue that debate.

I reread your last post and I stand behind the reason I said it.


I respect your right to post your site’s content in this forum or not. That was my oversight in putting the content here without explicit copyright permission and for that I apologize.

Now I need to make a request of you concerning this post:

In order to provide a positive experience to the forum readers, given the nature of this discussion, I need to request that you remove the link to your site which means either put the content from your blog back in the post so that the post continues to have meaning, or otherwise we would remove the thread if you don’t want the content here. That is 100% your choice and your right.

The link is not acceptable as it points back to a commercial site which is generally frowned on and is also not a positive experience for users to have to bounce around on such a discussion.

Also, since you pointed out the site, I need to request that you put proper trademark notifications on your commercial site regarding your references to FreePBX on the commercial parts of your site. We do not have a concern with trademark references in non-commerical settings such as blogs, etc. but when you are using FreePBX as a selling point for commercial products, we expect to have the trademark policy followed as is standard policy for most trademark owners.

Thanks you for understanding the request, you are welcome to PM me if you want to discuss this in private or otherwise ask any questions but I’ll have to take appropriate actions by tomorrow if there is no acceptable response.

The simple nature of the internet allows linking. There are many sites that take credit for content that is not their own. There are many links here in the forums and just because it is a forum does not mean that you can copy material from whatever site. Just because it is the Internet does not mean that copying and pasting is permitted behavior.

Posting this on freepbx forums is obviously a an error based on the fact that i have been flamed and now this reply which was not an issue prior to removing my web site’s content, that was placed here without my consent,

I mention the above because this appears to be a more of a reaction to the fact that I removed the content from the site.

I will make references to the FreePBX name on and respectively


hopefully you read the beginning of my comment:

In case it was ambiguous, that was clearly directed at your expressed concern:

So if you missed it, that is exactly what I was acknowledging and apologizing for.

However … It doesn’t change my comments beyond that wrt to links that are pointing to commercial sites. Also, it doesn’t change the fact that forum posts are here to be helpful both now and years into the future. When you put a link vs. the content, and then some time down the road the link breaks because the site no longer exists or other reasons, it dilutes the value. It also makes it more difficult to follow a discussion thread when the content is a link vs. in the post.

Links make sense in the proper context. For example, links to log files in help threads that are typically very specific to a user help to minimize clutter in a forum. In this case, the very short script that fits very well within the post would make the discussion thread much more useful, regardless of the differing opinions of it’s value or not. However, that is your right to put it there or not.

We don’t necessarily catch all links to commercial sites, though when reported we review them to make the appropriate determinations. We do usually catch the blatant spams and other posts that often appear to be placed for the primary purpose of link backs to commercial sites.

Additionally to be clear and transparent, you were not being singled out or flamed. Our discussion on security had nothing to do with this.

In fact Philippe and I have had no dialog about it at all.

Please don’t think that we are all “coming down” on you.

Since I am late coming here let me make sure I understand this.

You stated

“post modified by markosjal, replaced original link and removed content copied by p_lindheimer as I did/do not authorize the copying of information from Had I been asked I might have allowed it!”

yet at the beginning of post you state
" I feel it is so simple and effective there is no reason to not include it in the core code."

So you want us to include code that you have on your own website. We than paste the code in the forum and you state we did not have permission to take content from your site and paste it in the forum yet you wanted us to add it to the Core of FreePBX and I believe based on the comment above did give us permission to do so.

If you are going to prohibit links on this thread, you should do it ACROSS THE BOARD on every thread, not just selectively.

Secoindly I stand by my statemen t that there are many ways to do this in the code without using my code exactly. Mine is an example. You do what suits you.

Thirly yiu need to send the prospective hacker down as many of the wrong roads as possivble and that is why I see my solution as a valid alternative. Using the standard Apache methods tell the hacker far too much information about the server. It is better to provide fake information to someone trying to hack in.