Two Factor Auth for Freepbx


#1

is there a Two Factor Auth solution for logging into the management interface of Freepbx? I did a search and found one person who asked this and there was supposedly 1 reply, but its been removed and the topic was closed. So figured I would ask again. Maybe a Sangoma Module or something?

Thank you


(Communication Technologies) #2

Not that I am aware of, but you could put the admin interface on a secure subnet that requires 2FA to access, then once on, login to the PBX.


#3

Who are you trying to protect it from?

Automated tools that scan every IPv4 address, looking for vulnerabilities? With proper firewall setup, random scanners should not even discover that you have a PBX, let alone get access to the admin login page.

An outsider targeting your system specifically, e.g. a competitor? Do one or more of:

  1. Allow access from only a few whitelisted IP addresses.
  2. Require VPN access to the server (secured by certificates), with the admin page accessible via the VPN.
  3. Use SSH port forwarding to access the admin page.

Someone who knows the technical details of your system, e.g. a disgruntled employee or former employee? This is a tough problem and if the attacker is sufficiently skilled or well funded, she will succeed. Be aware that conventional 2FA may not help – if the enemy can stage an MITM attack, the session can be hijacked after an authorized user logs in. Also, social engineering can defeat many 2FA schemes.


(Dave Burgess) #4

I like @Stewart1 's ideas for most users, but I’m dealing with some 2FA requirements on a different system and have a passing interest in this. If you are working from the NIST RMF or military STIG perspective, there might be some reasons for adding more stringent requirements, For other NIST RMF requirements, you have lots of leeway when it comes to 2FA.

What are you trying to accomplish, specifically, with 2FA? Do you want credential token-based protection or are you looking for something more ‘soft’?


#5

There’s not a FreePBX module for it but there is at least one DIY method which probably has some pitfalls.

You can set FreePBX to authenticate using Apache and then set the user permissions with FreePBX. This is done in Advanced Settings -> Authorization Type = webserver.

Then in Apache, you can set up whatever authn module you want. If you use Office365 or GSuite with 2FA, you can auth against those using the mod_auth_openidc module. I have used this for other web server applications and can vouch for it, but have never used it directly with FreePBX. Warning, the setup is a lot of work (at least it felt like a lot to me).

When you have set up authn like that and protect a web directory with it, you are first sent to the auth provider (MS, Google, or wherever) and once you have successfully authenticated, the web server passes your username on to FreePBX, so that username has to exist in the administrators table and have permissions.

I think that would work fine for admin. I don’t think UCP ties into that in any way; I believe UCP exclusively uses the FreePBX database for both authentication and authorization.


(Dave Burgess) #6

Anyplace that’s using 2FA isn’t going to have an “Admin” user anymore. All logins will be ties to the login credentials, which seriously complicates this.

In my “other job” capacity, we set up “admin” accounts for things like our routers, etc. so that they have to come from a specific workstation, and then set that workstation up so that it requires 2FA to get logged in. This is satisfactory to the security folks, recognizing that we still have to protect the admin users for everything even after disallowing them from connecting from virtually anywhere.


#7

Renaming/setting up multiple admin-level users is trivial. What’s complicated?

I’m more concerned about FreePBX gotchas that assume usermanager/database auth and forget that “webserver” is an option.


#8

Related discussion including comments from former FreePBX developers.

“webserver” method is not recommended. Pluggable auth for the usermanager module is mentioned but I have never seen anything more about this. Time to do some research.


(Lorne Gaetz) #9

Tho I’ve never delved into this before, I think the Advanced Option ‘Enable Remote Unlock’ allows one to use fwconsole to generate a one-time key which can then be used as part of the url to browse to the Admin GUI without being challenged for creds but using the url http://server:port/admin/config.php?unlock=<key>

The tool tip for that feature is stale now (I have an internal ticket to get it updated) so I’m not sure what command generates the key. The clue is prob in the file /var/www/html/admin/libraries/Console/Remoteunlock.class.php


(system) closed #10

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.