Remote users - Securing FusionPBX

[int-tech01]

Hello,

I am a long time user of FreePBX and utilize their Responsive Firewall module. This module, along with Fail2Ban works great by keeping your SIP port open to the world, and allows for a specific amount of connection attempts before being blocked by the firewall. This is great for remote/traveling users that do not have a static IP.

I am looking into migrating to FusionPBX, and am just getting my feet wet. So far, I love what I see.

How does FusionPBX handle security for remote users? I am not looking to setup VPN connections on the remote phones.

Thank you!
Adam

 

[Bifur]

Have you taken a look at the docs? It's a good starting point: https://docs.fusionpbx.com/en/latest/
Once you get to the security part you will see that by using domain names instead of IP addresses, we can assume someone trying to register with just the IP is a bad actor and to block them. There are other things in there as well.

 

[int-tech01]

Hello,

Yes, I have read through those docs, specifically that section. I was just wondering if that is enough.

So with the recommended approach in the docs, port 5060 will be open to the world. A bad actor would be blocked in 2 ways.

1. If they try and register with an IP instead of domain.
2. They somehow DO try and register with a domain name, and fail multiple times.

In both scenarios, we are saying that the way they are blocked is with the firewall, but it 100 % relies on Fail2Ban. Is that right?

 

[Bifur]

From my understanding, yes, fail2ban. It's like Freepbx but not as pretty. Most scripts have no idea of the unique domain so those are usually all you get. If you click on the iptables stuff it shows you what is set by default. You can always adjust and go with a straight whitelist, etc.

I've been running a test fusionpbx server for a year now and I have had no issues with toll fraud, etc. It just hums along.

 

[int-tech01]

That's good to know. Most of the notifications I get from fail2ban now on FreePBX are all related to registering with an IP. So this most likely would be enough.

 

[Bifur]

I think the bigger issue could be php bugs/zero days etc since the web portal is public facing as well. With Freepbx only your trusted or local ips have access to the web portal.

 

[int-tech01]

So I just block access to port 80 and 443 right in the firewall on my FusionPBX box. (and allow access to my IP) Of course, that would not work if I were to use the provisioning services built into Fusion.

 

[Bifur]

Correct, which is another consideration. And whitelist each customer who may have a DHCP WAN address all the time if you give them access.

 

[int-tech01]

To be clear, you mean whitelist customers with a STATIC WAN address, right?

 

[Bifur]

Well static is nice but some don't have a static. So you would have to update it manually when IP changed. I'm not doing that personally.

 

[pogingbagsik]

Just an insight FusionPBX is great running over the internet just be sure to which traffic should be opened over the cloud.
Running for 4yrs ++ now using FQDNS registration + 32 character password authentication and strict fail2ban for 24hrs works like a charm on my end.

 

[int-tech01]

That's great to hear. So you block IP registrations and only allow extension@whatever.domain.com registrations?

Would you mind sharing your strict fail2ban settings?

Do you ever change your SIP port that is exposed to the internet?

 

[pogingbagsik]

That's great to hear. So you block IP registrations and only allow extension@whatever.domain.com registrations?

Would you mind sharing your strict fail2ban settings?

Do you ever change your SIP port that is exposed to the internet?

I just change the jail time to 24hrs to secure it and reduce the fail count to 3 within 12hrs duration,.
I did not change any protocols 5060-5061 as SIP and the RTP ports are open to the world 0.0.0.0/0.
5080-5081 and RTP ports are only allowed to the VOIP Providers IP for external profile.
Management 80/443 & SSH are only allowed to trusted networks not globally.
As another layer for security have integrated to ASTPP Billing and set a unique dial pattern per domain sip trunk also set a max threshold.

So far the only challenge is the WFH users who have internet issues for not resolving FQDNs and latency issues.

Hope this will help you, good luck!