Internet web access security

[obihuan]

Hello,

I have a small FusionPBX system installed, with 4 tenants for four different companies. My intention is to create an admin user for each tenant so they can manage their corresponding tenant.

To allow these users to access their tenants, I need to permit access to port 443 from the internet.

My questions are:

• Is it a good idea to do what I'm proposing?
• Is it safe to open port 443 to the internet to allow remote administration?
• Has anyone here kept this port open and experienced any issues or attacks?
• Is there any documentation on best practices for allowing access to port 443 from the internet?

Thanks in advance,

Obihuan

 

[Adrian Fretwell]

Generally speaking, if you have a working Fail2Ban or equivalent AND you have enforced good password strength, then you should be pretty safe. I believe in FusionPBX you can now also enable two factor authentication, which will provide another level of protection although many customers find it annoying.

The simplest solution is if you customers have static IP addresses just add them to your firewall for port 443 and keep 443 closed to everyone else.

PS: Device provision relies on port 443 being open to customers. Other ports are available...

 

[markjcrane]

HTTPS with 443 should be fairly safe if you use a recent version of FusionPBX. I don't recommend Fail2ban for protecting FreeSWITCH it has too many false positives. Recent versions of FusionPBX use event guard which is code that subscribes to FreeSWITCH events and then bans based on the registration events.

Next thing if you are using FusionPBX provisioning its a good idea to protect it using default settings CIDR rules or http_auth settings.

 

[Adrian Fretwell]

HTTPS with 443 should be fairly safe if you use a recent version of FusionPBX. I don't recommend Fail2ban for protecting FreeSWITCH it has too many false positives. Recent versions of FusionPBX use event guard which is code that subscribes to FreeSWITCH events and then bans based on the registration events.

Next thing if you are using FusionPBX provisioning its a good idea to protect it using default settings CIDR rules or http_auth settings.

Hi Mark,
I get EventGuard, we use a similar mechanism. But how does that work if you have a customer that wants access to admin facilities from an IP address that does not have any phones registered against it?

 

[markjcrane]

Valid registration is not blocked so their dynamic address is not blocked.

 

[obihuan]

Hi Mark,
I get EventGuard, we use a similar mechanism. But how does that work if you have a customer that wants access to admin facilities from an IP address that does not have any phones registered against it?

Hello Adrian,

I know that Eventguard blocks failed SIP registration attempts on the PBX.

Can it be configured to block erroneous access attempts to port 443?
How would it be configured?

Thank you,

Obihuan

 

[Adrian Fretwell]

@markjcrane Maybe one of us is missing the point, so please forgive me for re-phrasing my question.

So what about an IP that has no valid registrations. For example all my phones are registered at my office, but I want to do some Admin from home, where I do not have any phones registered?

 

[Adrian Fretwell]

Can it be configured to block erroneous access attempts to port 443?
How would it be configured?

From what Mark says, I think it does, by only opening 443 if there is a valid registration from that address. but tying the two together does not work in all circumstances, hence my question to Mark. Freeswitch only deals with SIP, so events will not directly relate to anything going on on port 443.

 

[bcmike]

Just to expand on something Mark said. 99% of our issues have revolved around securing provisioning not the front end. A practice that we've employed is to have different https provisioning auth credentials for every tenant. To do this just copy the relevant settings from default settings into all of your domains and make them unique with strong passwords

 

[obihuan]

"Thank you all for your responses and for clarifying my doubts. I will try to configure what bcmike suggests and set up a different user and password for the provisioning of each tenant."