is there a Two Factor Auth solution for logging into the management interface of Freepbx? I did a search and found one person who asked this and there was supposedly 1 reply, but its been removed and the topic was closed. So figured I would ask again. Maybe a Sangoma Module or something?
Thank you
Not that I am aware of, but you could put the admin interface on a secure subnet that requires 2FA to access, then once on, login to the PBX.
Who are you trying to protect it from?
Automated tools that scan every IPv4 address, looking for vulnerabilities? With proper firewall setup, random scanners should not even discover that you have a PBX, let alone get access to the admin login page.
An outsider targeting your system specifically, e.g. a competitor? Do one or more of:
Someone who knows the technical details of your system, e.g. a disgruntled employee or former employee? This is a tough problem and if the attacker is sufficiently skilled or well funded, she will succeed. Be aware that conventional 2FA may not help ā if the enemy can stage an MITM attack, the session can be hijacked after an authorized user logs in. Also, social engineering can defeat many 2FA schemes.
I like @Stewart1 's ideas for most users, but Iām dealing with some 2FA requirements on a different system and have a passing interest in this. If you are working from the NIST RMF or military STIG perspective, there might be some reasons for adding more stringent requirements, For other NIST RMF requirements, you have lots of leeway when it comes to 2FA.
What are you trying to accomplish, specifically, with 2FA? Do you want credential token-based protection or are you looking for something more āsoftā?
Thereās not a FreePBX module for it but there is at least one DIY method which probably has some pitfalls.
You can set FreePBX to authenticate using Apache and then set the user permissions with FreePBX. This is done in Advanced Settings -> Authorization Type = webserver.
Then in Apache, you can set up whatever authn module you want. If you use Office365 or GSuite with 2FA, you can auth against those using the mod_auth_openidc module. I have used this for other web server applications and can vouch for it, but have never used it directly with FreePBX. Warning, the setup is a lot of work (at least it felt like a lot to me).
When you have set up authn like that and protect a web directory with it, you are first sent to the auth provider (MS, Google, or wherever) and once you have successfully authenticated, the web server passes your username on to FreePBX, so that username has to exist in the administrators table and have permissions.
I think that would work fine for admin. I donāt think UCP ties into that in any way; I believe UCP exclusively uses the FreePBX database for both authentication and authorization.
Anyplace thatās using 2FA isnāt going to have an āAdminā user anymore. All logins will be ties to the login credentials, which seriously complicates this.
In my āother jobā capacity, we set up āadminā accounts for things like our routers, etc. so that they have to come from a specific workstation, and then set that workstation up so that it requires 2FA to get logged in. This is satisfactory to the security folks, recognizing that we still have to protect the admin users for everything even after disallowing them from connecting from virtually anywhere.
Renaming/setting up multiple admin-level users is trivial. Whatās complicated?
Iām more concerned about FreePBX gotchas that assume usermanager/database auth and forget that āwebserverā is an option.
Related discussion including comments from former FreePBX developers.
āwebserverā method is not recommended. Pluggable auth for the usermanager module is mentioned but I have never seen anything more about this. Time to do some research.
Tho Iāve never delved into this before, I think the Advanced Option āEnable Remote Unlockā allows one to use fwconsole to generate a one-time key which can then be used as part of the url to browse to the Admin GUI without being challenged for creds but using the url http://server:port/admin/config.php?unlock=<key>
The tool tip for that feature is stale now (I have an internal ticket to get it updated) so Iām not sure what command generates the key. The clue is prob in the file /var/www/html/admin/libraries/Console/Remoteunlock.class.php
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.