It is important to keep your system as secured as possible. Ideally, it should be sitting behind a firewall (hardware) with no ports exposed to the internet. That is, users connecting to the PBX server for phone service should be on the same local network as the server. If your server is exposed to the internet, at least take these precautions:
- Don’t allow root login for ssh. Use a different user for ssh access.
- Expose only the necessary ports. Don’t expose ports 80, 9080 (freepbx), and 9001 (webmin).
- Strong passwords for everything: root (also used for webmin), user, maint (freepbx web interface), and even the asterisk extensions.
To disallow root login via for ssh and create a new user for regular access, do
## Add: PermitRootLogin no ## change from yes to no
## create non-root user to login to ssh. As root, do
useradd -d /home/newuser -m newuser
passwd newuser ## enter in password
## give newuser the power of sudo
## add: newuser ALL=(ALL) ALL
## log out and login as newuser
## add to ~/.bashrc of newuser
If you are behind a NAT firewall (router), forward these ports if they are relevant (remote sip connection):
SSH: 22 TDP/UDP
IAX: 4569 UDP; to connect to server via IAX protocol remotely
SIP: 5060 UDP; to connect to server via SIP protocol remotely
RTP: 10000-20000 UDP (/etc/asterisk/rtp.conf); voice connections
Don't open 80/9080 (freepbx administration) and 9001 (webmin)
For remote sip connection, I believe you also need to go to Tools (top of page) > Asterisk SIP Settings. Then modify the NAT settings: external IP and Local network (eg: 192.168.1.0/255.255.255.0). Click “Auto Configure” to automatically do this.
I originally had my server exposed to the world thinking the server is quite secure. I still think it’s pretty secure as Fail2ban and iptables work quite well; see this experience with trying to connect to a SIP extension from outside (remote connection) where the extension was restricted to only internal IP addresses. Basically, if you fail to authenticate any service (ssh, http, sip, etc.) a few times, the server will no longer respond to you (all services) until the pbx server is restarted.
My current setup: pbx behind a router with only the necessary ports opened as advised by all the experts.
One issue I encountered was that I was able to register a sip connection on the local network but not remotely across the internet, even though all my ports were forwarded. Using the following method, I realize that my connection to port 5060 never made it to the server:
sip set debug on ## debug sip registrations. if you are trying to register a connection and you don't see any activity here, then your packets never made it to the server
Even if I removed the firewall (router) and exposed all ports to the internet (DMZ), I was not able register a remote sip connection. I later realize it was because of
iptables (Linux firewall) on the pbx server. See this for more details. After executing the following command,
iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
I was able to register a remote sip connection. To make this permanent, I added the rule via Webmin (
http://local.ip:9001/). Your pbx server needs to respond to inquiries from ports 5060, 4569, and 10000-20000 UDP; I think somehow 5060 was set as TCP instead of UDP during installation, so I had to fix it manually. Restart the server to have the new rule take effect. Thank you n3glv, navaismo, adam1, and [TK]D-Fender from
#freepbx for your help.
To guard against bots scanning for pbx servers, it might be wise to change the sip port for each extension from 5060 to something else.