Difference between revisions of "Security"

From FusionPBX
Jump to: navigation, search
(General)
(VPN)
 
(14 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
==General==
 
==General==
 
* Limit Exposure
 
* Limit Exposure
* Fail2ban
+
** Use FusionPBX/FreeSWITCH behind a firewall.
 +
===Log Monitoring===
 +
If you aren't keeping track of what's going on with your system(s), you face the greatest potential for attack.  There are several easy ways to automate (mostly) this.  Here's some good places to start.
 +
====Logwatch====
 +
Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
  
=FreeSWITCH=
+
What's needed:  A plugin for FreeSWITCH; however, it does work nicely with fail2ban, apache, php.
* Disable the FreeSWITCH modules you are not using.
+
*[[Logwatch]]
* Fail2ban - used to watch FreeSWITCH logs
+
You will also need a way to get the logfile analysis off your system.  You can either run a full fledged mailserver like postfix/sendmail/exim/etc., or have a look at [[sSMTP]].  sSMTP is a non-daemon program that works with the systems mail command and provides a sendmail compatible binary.
 +
 
 +
===Firewall===
 +
Limit ports exposed to the Internet.
 +
====Debian====
 +
* IPTables
 +
* http://docs.fusionpbx.com/en/latest/getting_started/iptables.html?highlight=iptables
 +
* http://wiki.fusionpbx.com/index.php?title=Iptables
 +
====Ubuntu====
 +
* [[Ubuntu_Firewall|Uncomplicated Firewall (UFW)]]
 +
 
 +
===VPN===
 +
** Use a VPN for external endpoints.
 +
*** OpenVPN with a UDP tunnel works great for VOIP.
 +
[[OpenVPN]]
 +
 
 +
===Layered Security===
 +
====Fail2ban====
 +
monitor logs then bans ip addresses for those that are found in the log to be abusing the system.
 +
* [[Fail2Ban]]
 +
For information about Fail2Ban on FreeSWITCH, [http://wiki.freeswitch.org/wiki/Fail2ban see their wiki]
 +
 
 +
==FreeSWITCH==
 +
* Disable the FreeSWITCH modules you are not using. Below is a list of modules not currently being used. This list is not comprehensive. In FusionPBX the modules are found in the menu in system -> modules.
 +
*** xml rpc (not currently used by FusionPBX)
 +
****removed from Debian/Ubuntu Install script on 10/1/2012
 +
*** xml curl
 +
****removed from Debian/Ubuntu Install script on 10/1/2012
 +
*** httapi

Latest revision as of 19:48, 4 August 2020

A place to share security best practices with the community.

General

  • Limit Exposure
    • Use FusionPBX/FreeSWITCH behind a firewall.

Log Monitoring

If you aren't keeping track of what's going on with your system(s), you face the greatest potential for attack. There are several easy ways to automate (mostly) this. Here's some good places to start.

Logwatch

Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.

What's needed: A plugin for FreeSWITCH; however, it does work nicely with fail2ban, apache, php.

You will also need a way to get the logfile analysis off your system. You can either run a full fledged mailserver like postfix/sendmail/exim/etc., or have a look at sSMTP. sSMTP is a non-daemon program that works with the systems mail command and provides a sendmail compatible binary.

Firewall

Limit ports exposed to the Internet.

Debian

Ubuntu

VPN

    • Use a VPN for external endpoints.
      • OpenVPN with a UDP tunnel works great for VOIP.

OpenVPN

Layered Security

Fail2ban

monitor logs then bans ip addresses for those that are found in the log to be abusing the system.

For information about Fail2Ban on FreeSWITCH, see their wiki

FreeSWITCH

  • Disable the FreeSWITCH modules you are not using. Below is a list of modules not currently being used. This list is not comprehensive. In FusionPBX the modules are found in the menu in system -> modules.
      • xml rpc (not currently used by FusionPBX)
        • removed from Debian/Ubuntu Install script on 10/1/2012
      • xml curl
        • removed from Debian/Ubuntu Install script on 10/1/2012
      • httapi