Internet web access security

Status
Not open for further replies.

obihuan

New Member
Jun 6, 2023
5
2
3
52
Hello,

I have a small FusionPBX system installed, with 4 tenants for four different companies. My intention is to create an admin user for each tenant so they can manage their corresponding tenant.

To allow these users to access their tenants, I need to permit access to port 443 from the internet.

My questions are:

  • Is it a good idea to do what I'm proposing?
  • Is it safe to open port 443 to the internet to allow remote administration?
  • Has anyone here kept this port open and experienced any issues or attacks?
  • Is there any documentation on best practices for allowing access to port 443 from the internet?
Thanks in advance,

Obihuan
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Generally speaking, if you have a working Fail2Ban or equivalent AND you have enforced good password strength, then you should be pretty safe. I believe in FusionPBX you can now also enable two factor authentication, which will provide another level of protection although many customers find it annoying.

The simplest solution is if you customers have static IP addresses just add them to your firewall for port 443 and keep 443 closed to everyone else.

PS: Device provision relies on port 443 being open to customers. Other ports are available...
 

markjcrane

Active Member
Staff member
Jul 22, 2018
499
177
43
49
HTTPS with 443 should be fairly safe if you use a recent version of FusionPBX. I don't recommend Fail2ban for protecting FreeSWITCH it has too many false positives. Recent versions of FusionPBX use event guard which is code that subscribes to FreeSWITCH events and then bans based on the registration events.

Next thing if you are using FusionPBX provisioning its a good idea to protect it using default settings CIDR rules or http_auth settings.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
HTTPS with 443 should be fairly safe if you use a recent version of FusionPBX. I don't recommend Fail2ban for protecting FreeSWITCH it has too many false positives. Recent versions of FusionPBX use event guard which is code that subscribes to FreeSWITCH events and then bans based on the registration events.

Next thing if you are using FusionPBX provisioning its a good idea to protect it using default settings CIDR rules or http_auth settings.
Hi Mark,
I get EventGuard, we use a similar mechanism. But how does that work if you have a customer that wants access to admin facilities from an IP address that does not have any phones registered against it?
 

markjcrane

Active Member
Staff member
Jul 22, 2018
499
177
43
49
Valid registration is not blocked so their dynamic address is not blocked.
 

obihuan

New Member
Jun 6, 2023
5
2
3
52
Hi Mark,
I get EventGuard, we use a similar mechanism. But how does that work if you have a customer that wants access to admin facilities from an IP address that does not have any phones registered against it?
Hello Adrian,

I know that Eventguard blocks failed SIP registration attempts on the PBX.

Can it be configured to block erroneous access attempts to port 443?
How would it be configured?

Thank you,

Obihuan
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
@markjcrane Maybe one of us is missing the point, so please forgive me for re-phrasing my question.

So what about an IP that has no valid registrations. For example all my phones are registered at my office, but I want to do some Admin from home, where I do not have any phones registered?
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Can it be configured to block erroneous access attempts to port 443?
How would it be configured?
From what Mark says, I think it does, by only opening 443 if there is a valid registration from that address. but tying the two together does not work in all circumstances, hence my question to Mark. Freeswitch only deals with SIP, so events will not directly relate to anything going on on port 443.
 
Last edited:

bcmike

Active Member
Jun 7, 2018
337
58
28
54
Just to expand on something Mark said. 99% of our issues have revolved around securing provisioning not the front end. A practice that we've employed is to have different https provisioning auth credentials for every tenant. To do this just copy the relevant settings from default settings into all of your domains and make them unique with strong passwords
 
  • Like
Reactions: markjcrane

obihuan

New Member
Jun 6, 2023
5
2
3
52
"Thank you all for your responses and for clarifying my doubts. I will try to configure what bcmike suggests and set up a different user and password for the provisioning of each tenant."
 
Status
Not open for further replies.