Need some tips and suggestions

Status
Not open for further replies.

sokalsondha

Member
Nov 6, 2019
37
1
8
Hello everyone
Hope everyone doing well. I installed fusionpbx on a AWS ec2 server with latest version on debian 11.

going to put one company pbx with few groups with few extensions.
But i am little scare with the security as voip is too risky project.
i have couple of questions. may be you can help me with this with tips and suggestions


1. What sort of security i need to think for my server? currently there is fail2ban but i need to make sure the configuration are correct as currently its default there out of box situation

2. What automation i should setup in crons. like specially logs. i dont want to keep the all the life logs to make the SSD full.
and what types of logs are storing in fusionpbx server? freeswitch/nginx/ any others?

3. do you suggest any monitor things incase system get heavy it will be restart the service to make sure the 0 or very little downtime.

4. server is with AWS so may we can setup some automation snapshot so we will be have the full backup time to time. i found aws has snapshot option. may be i can setup a daily automatic snapshot of the server or may be every 4 hours?

5. any other important matters i need to put in my server as my plan to keep it with auto pilot.

I am looking for suggestion who is currently using fusionpbx on a commercial use. may be i can use different sip port just to protect at least a little bit but any other suggestions please

thanks for reading my post
 

hfoster

Active Member
Jan 28, 2019
684
81
28
34
1. As much as possible for your use case. Personally, I would love to firewall the entire PBX off to a specific network and make all the users connect via a VPN, but this won't always be available. For what it's worth, I've had several FusionPBX servers sat on the internet for approximately 5 years and touch wood they have not experienced any fraudulent activity via bruteforcing. Fail2Ban or the new 'Event Guard' seems to do a bang up job in cutting off most attempts. The configuration out of the box is quite safe in my opinion.

2. There's maintenance scripts included in the cron folders (I think cron.daily). Those are a good starting point. The high importance stuff is mainly covered by Fail2Ban/Event Guard already.

3. FreeSWITCH can be configured to be monitored via SNMP and via script based monitoring agents. You often want to watch for sessions and sessions per second. Those can be limiting factors in large deployments. FreeSWITCH comes with quite low defaults.

4. That's all for you to decide, I think you pay for the EC2 storage don't you? I think that's where the snapshots are stored anyway. You might want to disable the fusionpbx-backup script in the cron.daily if you are taking snapshots. It will only bloat the snapshot unnecessarily,

5. There's a supplied script with the debian (and the others releases) installer called 'dsn.sh'. This script converts the FreeSWITCH SQLite core into a PostgreSQL core. Essential for multi-tenanting as the SQLite core ends up with a lot of locking conditions which results in the registrations failing and invites timing out.

/usr/src/fusionpbx-install.sh/debian/resources/postgresql/dsn.sh

You'll need the SQL password from: /etc/fusionpbx/config.conf and you'll have to paste it for several attempts.

6. One more thing, if you are intending for extensions to register from anywhere, take note that a lot of ISPs block or mess with SIP traffic on UDP, meaning three things are usually advatageous:
a. Allowing TCP SIP
b. Allowing SIP registrations for extensions on a different port. You should be able to duplicate the internal profile for another port.
c. Configuring TLS SIP. I *think* you can only use 1 certificate on FreeSWITCH at once though, so for multi-tenanting you'll need a SIP proxy in front of that which can present the correct cert.
 
  • Like
Reactions: abelitouci

abelitouci

Member
Jul 3, 2019
31
6
8
Houston, Texas
We've had the fusionpbx servers in Aws (EC2) for 3 years now with almost no problem at all.
We have the Database separated from the Freswitch/Fusionpbx server in a RDS cluster and that allows us to add ec2 servers as we need smoothly and minimize the backups, snapshot jobs as AWS will take tare of that automatically on the DataBase
Works like a charm without too much maintenance, the downside is the cost as the RDS cluster tends to be pricey, for example for 3x ec2 servers and 1 Rds(PostgreSQL cluster) we are paying around $1000/month.
 
Status
Not open for further replies.