FreePBX on VPS
-
@elegast said:
Do you guys have any recommendations for security? what traffic do you allow and block?
I block everything that isn't needed
FreePBX includes a very good firewall built in
From the FreePBX Wiki: FreePBX Firewall is a tightly integrated, low level firewall, that removes the complexity of configuring a firewall on your VoIP server.
This project was started due to the lack of a common, comprehensive, firewall, in the VoIP server community. Various attempts had been made previously, but they all suffered from a lack of understanding of the challenges involved, or a lack of flexibility which caused most users to disable IPtables on the PBX.
FreePBX Firewall was designed and written by security professionals, with a thorough understanding of the issues and limitations of trying to secure a VoIP service but still leave it open enough to keep users from disabling the Firewall.
Its aim is to provide a simple way to secure the 'average' VoIP server installation, the 95%. In more complex setups, it is always wise to discuss your security requirements with someone with experience in this arena. -
@aaronstuder said:
FreePBX includes a very good firewall built in
Agreed. The new responsive firewall in FreeBPX 13 is amazing for VoIP communications. It 's ability to intelligently allow and block traffic (especially SIP traffic) is a huge leap forward.
Now that we're on the subject again...What is everyone's method for provisioning phones remotely? In this case, all phones would be remote since the PBX is on a VPS.
-
@aaronstuder said:
@elegast said:
I'm playing around with freepbx and would like to host it on Linode or Digital ocean.
This is much easier to do on Vultr because they allow the use of custom ISO. Without Custom ISO support your have to install from source.
Not source... but from compiled code. Still a huge pain in the ass though - I've done it twice now.. and still takes me forever.
-
@Dashrender said:
Not source... but from compiled code. Still a huge pain in the ass though - I've done it twice now.. and still takes me forever.
Thanks! Could it be scripted?
-
@fuznutz04 said:
What is everyone's method for provisioning phones remotely?
Do you have access to the phones before they are deployed? Do you have access to the network the phones will be on?
-
@aaronstuder said:
@fuznutz04 said:
What is everyone's method for provisioning phones remotely?
Do you have access to the phones before they are deployed? Do you have access to the network the phones will be on?
Yes, I would have access to phones before deployment, but not access to the destination network.
-
@fuznutz04 said:
Yes, I would have access to phones before deployment, but not access to the destination network.
Then pre-configure them - make sure you use a DNS name, not a IP address in case you want to move the server, etc.
-
@aaronstuder
Correct, that's the plan. However, when the phones check for configuration/provisioning periodically, while remote, what method do you use to secure the communication? You can use http, ftp, etc, but this is inherently not secure. This could be secured through firewall rules on the PBX, but this becomes difficult when dealing with people who travel with their phones.
-
@fuznutz04 said:
Correct, that's the plan. However, when the phones check for configuration/provisioning periodically, while remote, what method do you use to secure the communication? You can use http, ftp, etc, but this is inherently not secure. This could be secured through firewall rules on the PBX, but this becomes difficult when dealing with people who travel with their phones.
Most phones have OpenVPN built-in, that's a good option
-
@fuznutz04 What phones are you using?
-
I think you are trying to make it too complicated. All you need to work on the phone is the IP address of the phone (where ever it happens to be) and remote connection to a machine on that network (assuming that would be your employees laptop etc). Then you can reconfigure the phone easily. Even a basic user can hit the ok button a phone and get the IP address and read if off to you.
-
@Minion-Queen Then how to you connect the phone to the PBX securely? Most phones support HTTP, FTP and TFTP - none of which are secure. Also, you login and make manual changes every time you want to make a simple change on a phone? Sounds painful, and even more painful if you have more then a handful of phones....
-
@aaronstuder said:
@Minion-Queen Then how to you connect the phone to the PBX securely? Most phones support HTTP, FTP and TFTP - none of which are secure. Also, you login and make manual changes every time you want to make a simple change on a phone? Sounds painful, and even more painful if you have more then a handful of phones....
How much are you doing changes on a phone? 99% of everything that changes is done at the PBX level. The only time you should be touching a handset is to register it to the PBX.
-
@coliver That's a fair point, we are making a lot of changes right now due to just have installing the system. I could still see us making changes once everything couple of months. Having to change 60 phones by hand seems painful. Some features can't be controlled by the PBX such a softkey, etc. Still, the question remains, how do you do it securely?
-
This post is deleted! -
@aaronstuder said:
@Minion-Queen Then how to you connect the phone to the PBX securely? Most phones support HTTP, FTP and TFTP - none of which are secure. Also, you login and make manual changes every time you want to make a simple change on a phone? Sounds painful, and even more painful if you have more then a handful of phones....
If you are having to touch the phones hardly at all then you are doing it wrong.
-
@Minion-Queen Completely Agree. That still don't solve the security issue.
Transmitting a phone configure over the open internet without encryption is a bad idea.
-
@Minion-Queen HTTPS solves the encryption problem, but does not solve the authentication problem. None of the phones I have seem support using a username and password to authenticate over HTTPS. Some phones support encrypted conf files, that would work.
Need to know what phones @fuznutz04 is using, and they we can give them some options
-
@aaronstuder said:
@Minion-Queen HTTPS solves the encryption problem, but does not solve the authentication problem. None of the phones I have seem support using a username and password to connect. Some phones support encrypt conf files, that would work. Need to know what phones @fuznutz04 is using, and they we can give them some options
Are we talking about a username/password to configure the phone or to login with SIP?
Check out Yealink they require a username and password to connect. Snom does as well. I even had a conference room phone, can't remember the manufacturer, that requires a username and password.
-
@coliver to authenticate over HTTPS..... clearly SIP requires both for all phones.
