“Security is always excessive until it’s not enough.”
–Robbie Sinclair, Head of Security, Country Energy, NSW Australia
Security should be high on the list of things to consider for any FreePBX installation. As more companies are applying changes to provide a good work-from-home experience for their employees, doing this securely is something on a lot of our minds. The purpose of the blog post is to not only mention what’s currently available within FreePBX, but to also encourage some discussion about your own strategies and preferences for setting up a secure FreePBX system.
Security tools available in FreePBX(13+)
FreePBX’s included Firewall module provides admins with a way to have control over who is allowed to access various services on the system. The Firewall runs with a ‘Deny-By-Default’ type of configuration. Ideally, everything should be blocked except for the Networks you provide access to. For most setups, Interfaces will be assigned to the Internet zone, and permitted Network/Hosts are added and assigned with the Local zone. Additional options found on the Firewall settings page also include:
- Responsive Firewall – When enabled, Responsive Firewall can block traffic for 24 hours from sources after enough invalid connection attempts are received. Responsive Firewall should only be enabled if necessary. For most systems, all connecting source addresses are known, and a proper Network/Host entry is set up to control access. However, for systems that need to accept VOIP connections from unknown sources, the Responsive Firewall can help bring some security for VOIP protocols based on registration behavior.
- Services – This is where the admin can set which zones are allowed to access each service. Note: It is heavily recommended that the TFTP, and HTTP(s) Provisioning services are never set to be enabled for the Internet zone, which could leave them ‘wide-open’. Phone configuration files should be considered highly confidential. While more secure methods are preferred, if remote TFTP/HTTP(s) provisioning is truly required, it must only be accessible to specified networks/addresses. Untrusted access should be considered to be a misconfiguration. Having credentials enabled on HTTP(s) connections is helpful, but it is still advised to control who is allowed access.
- Blacklist – The FreePBX Firewall also has a section to add entries to a Blacklist. As mentioned, the recommended overall approach is to block everything, and only provide access to those that need it. However there are still times when a Blacklist is useful, such as an environment relying on the Responsive Firewall. Blacklist entries will be sent a response that their traffic has been administratively blocked.
Intrusion Detection(also known as fail2ban)
This service is separate from the Firewall, and is recommended to have running along with it. Its settings and status information can be found by going to System Admin->Intrusion Detection. This service will monitor logs for possible threat attempts. If the specified amount of Retries are detected, a temporary ban will be set.
The Firewall and Intrusion Detection options offer some very helpful tools for locking things down when set up properly. There are also some general principles that should always be kept in mind.
- Admin access should only be allowed to specified networks/addresses. While a strong password is always recommended, it should never be relied on as the main form of security.
- While the Firewall Set-up Wizard runs during the registration of your new FreePBX install, it can be skipped. If it is Disabled on your system without any valid reason that you’re aware of, it is recommended to enable this with a proper setup.
- ‘Allow Anonymous Inbound SIP Calls’ and ‘Allow SIP Guests’ are settings that can be found in Settings->Asterisk SIP Settings. They should be set to No for most cases. See their help text for further information.
- If your environment and devices support SIP TLS, consider enabling it.
- Phone configuration files should be treated as extremely sensitive data since they contain credentials that provide calling access to the system. Wherever possible, only allow trusted access to the HTTP(s)/TFTP phone provisioning services. In environments where that is not possible, an HTTPS with credentials is the preferred protocol.
- It is recommended to prevent your phones from having access to the WAN unless necessary
- Consider setting a Maximum Channels limit on your trunks’ settings.
- Backups should be stored securely. Wherever you decide to store your system backups, make sure it is secure, especially if you are offloading them to another system.
- Keep your FreePBX modules and OS up to date. While it’s easy to leave a working PBX untouched, it is recommended to keep things up to date to ensure security releases are applied.
So how about you?
- Has there been any interesting challenges or changes that needed to be made to allow your users to work from home while keeping things secure?
- What would you put on a checklist of things to keep in mind when setting up FreePBX in a new environment?
- Are there any areas you’d like to improve with your setup, but not sure how to go about it?
Please come share your comments and questions in this blog entry’s community post.