Security Considerations

RasPBX is meant to be run with a private IP address behind a router/firewall. Never assign it a public IP that is fully exposed to the Internet! Using a public IP requires either a hardware based firewall or additional security measures on the RPi itself, which are not implemented by default.

As long as your router does not forward any ports to the private IP of your RPi, your setup is already pretty secure against intruders from the outside. Keeping all ports closed is working well in most cases, however it might be necessary or desired to forward some ports to the RPi. The following discussion about forwarded ports is done with SIP technology in mind, for other less widely used protocols port numbers as well as the situation in general are different.

RTP ports

If calls can be made but either one way or no audio at all is experienced, forwarding RTP ports often helps. These ports also have to be forwarded if remote extensions are desired. The port number range is 10000 to 20000 by default, it can be changed in FreePBX, menu SettingsAsterisk SIP Settings, field RTP Port Ranges. Reducing the wide default range to around 50 ports or so is a good precaution, other than that there is no real risk when forwarding these ports (UDP only) from your router.

SIP ports

If calls are failing frequently (especially inbound) or they are being dropped without any apparent reason after some time, forwarding the SIP port 5060 (both TCP and UDP) to your RPi can help. This is also necessary when remote extensions are desired. Port 5061 applies on top if Secure SIP is being used.
However, a considerable security risk is taken when opening the SIP port to the public. Intruders will try to gess your extension’s passwords with brute force, and in case they succeed the intruders will place expensive calls on your behalf. As you can imagine, this has to be avoided by all means! The following steps will make your setup secure, even if the SIP port is open to the public:

  • Use long and cryptic passwords for your extensions (numbers, big and small letters, special characters) to give the intruders a hard time guessing your passwords.
  • Install Fail2Ban for SIP (read the documentation here). Fail2Ban will automatically block any intruder which is trying to guess a password on the 5th attempt (latest).
  • Use deny/permit rules for your extensions to further lock down access to them. This can be found in FreePBX, ApplicationsExtensions. Example:
    deny=0.0.0.0/0.0.0.0
    permit=192.168.1.0/255.255.255.0
    This will allow extensions to register only from inside your local LAN, which in this case has addresses from 192.168.1.0 to 192.168.1.255. The deny rule is applied first (denying registration from anywhere here), and the permit rule overrides the deny rule for the specified address range. For local extensions it is easy to lock them down to the local LAN, for remote extensions more security can be applied when these extensions are located at well known addresses only.

Of course there are more ways to impove security even further (such as using Secure SIP), but when applying these simple measures a standard setup is already close to impossible to break. As you can imagine, guessing a long and cryptic password with 5 tries only is very unlikely to succeed.

SSH port

When forwarding SSH port 22 to enable remote login you should at least have a long and secure password. Intruders will still try to break in by guessing your password. These breakin attempts can also be locked out with Fail2Ban, however a much more secure way is to completely disable password authentication and use public key authentication only. A short description can be found here. To completely disable password login edit /etc/ssh/sshd_config and set

PasswordAuthentication no
PubkeyAuthentication yes

HTTP port

You should NEVER, EVER open the webserver port 80 to the public! Intruders will not only try to guess your FreePBX admin password but they will also try to use eventually existing PHP security vulnerabilities to gain access to your FreePBX admin GUI. On top, the password is sent in clear text when you log in, so it can be spoofed on the network. If you need remote access to FreePBX better use a VPN. A simple way to get access even without VPN is tunneling port 80 through an SSH connection. This is completely secure as all traffic is encrypted on the SSH tunnel. On Linux this is just:

ssh -L 8000:localhost:80 root@public_ip_of_your_rpi

Port 8000 on your local machine is forwarded to port 80 of your RPi. You can access the web GUI as long as the SSH session is open:

http://localhost:8000

 

 

3 thoughts on “Security Considerations

  1. Pingback: VoIP PBX – uncle-muddy.me.uk

  2. Hi guys,

    I’ve raspbx to be very interesting. One question please.
    If I wan to change port 80 into something else where can I change it please? I want to DMZ my server with port 55555 for example.

    Thanks a lot for all your helps

    • just setup port forwarding setup port 55555 to forward to port 80 on your internal network.

      basically any outside connections with port 55555 will be forwarded to 80 inside the network.

      if anyone from the internet tries to go to yourpbx:80 the connection will refuse.