This article should include common steps to secure your FreePBX. Firewall setup, access controls, and basic network security as it regards FreePBX.
- Keep your system updated (firmware) and patched for the latest security updates (FreePBX wiki - Updates).
- Enable Fail2ban (FreePBX wiki - Intrusion Detection):
- Whitelist authorized IPs.
- Enable PBX Firewall (FreePBX wiki - Firewall):
- Whitelist authorized IPs.
- CRITICALLY IMPORTANT - set the zone to "Internet" for all interfaces that have or could have inbound untrusted traffic.
- If you must provide access to SIP clients that can't be white-listed enable the Responsive feature in the PBX Firewall. If untrusted access is not necessary, disable Responsive.
- Enable HTTPS only access (w/ corresponding certificate services) (FreePBX wiki - Certificate Management). Consider HTTP to HTTPS redirect (System Admin - Port Management#PortManagement-Forcehttps).
- Use TLS / SRTP for encryption of signalling and media.
- Asterisk SIP Settings (FreePBX wiki - Asterisk SIP Settings User Guide):
- Set Allow Anonymous Inbound SIP Calls to NO.
- Set Allow SIP Guests to NO.
- Blacklist offensive IP Addresses manually (FreePBX wiki - Firewall Blacklist).
- Use obscure port number other than 5060, etc for SIP.
- Configure trunk to use the new port.
- Configure SIP peers/clients to the new port.
- Use IP based authentication for your trunk provider (if supported).
- No untrusted access to critical services such as admin GUI, SSH.
- If possible, block untrusted access to user facing services such as UCP and SIP. If not possible enforce strong user passwords and ensure fail2ban is configured and working.
- If your company does not make International calls then request SIP provider to disable International calling or implement a block of International calling within your PBX (or both) (FreePBX wiki - Outbound Routes Configuration Examples).
- Awareness is your best defense. Review the Call Reports/log regularly.