Securing my FreePBX Instance

Securing my FreePBX Instance

Hey everyone.

So its been a few weeks since I placed a FreePBX instance online. A few things have changed on how this setup is now, so I thought it would be nice to write about and explain how I have been securing and setting up this Cloud PBX.

The first thing is, let’s talk about the changed I have made. Before this article, the instance had one network interface which was directly connected to the internet gateway. The interface had a public IP address on it and all was good. Then I decided to make some changes, one being to enlist a new SIP line provider, the same one that I use daily at work. I requested a new Peer Trunk and 2 x new numbers for home and my wife’s home business. This trunk was setup but resides in a personal infrastructure, so to keep this all secure, I had to first build an L2TP tunnel to their infrastructure from my infrastructure.

This was completed and we did some static routing internally on both ends. Voila, a cloud PBX with the trunk routing over this L2TP tunnel and working well. Both infrastructures are in data centers so the signaling and quality between the two here is amazing. 2ms etc.

The next step was to connect my home and outside devices to this PBX instance and here is where the security problems come in. Most of what I have done above is all private network and not accessible at all from the internet, however, I would have to expose 1 interface to the public internet for some of my outside devices to register to the instance.

I have kept the one public internet facing interface with the static IP address and have been working a few solutions on how to best secure this. For now I am running Fail2Ban and have also started a Blacklist with permanent IP blacklists. Instead of just blacklisting the IP in question I have been adding the entire country subnets and ISP subnets, in effect blocking them from changing DHCP IP’s and coming back. In effect I only need to keep some very specific IP ranges open and can block everything else.

Now some research on the best way to set allow only networks.

Back to Top