Similar to medieval fortifications it is recommended to provide your servers with multiple layers of defenses. Be sure to use Firewalls, Strong passwords, SSH, and make sure your servers are kept up to date for all software being used. This includes the operating system, FreeSWITCH and FusionPBX.
The latest Debian install script configures IPTables firewall for you. FusionPBX extensions set strong passwords for you by default. You can increase the password complexity using settings in Advanced -> Default Settings to increase the length of the passwords that are generated by default.
Although the new install script configured IPTables for you it is recommended that you review the settings. On Debian and Ubuntu you can check your firewall with the following command.
SSL / TLS¶
SSL and TLS are very necessary in today’s internet applications from VOIP to Websites. FusionPBX by default uses a self signed certificate. However you can use certificate providers where you can purchase certificates and there are free options as well. With domain based multi-tenant wildcard certificates can be useful. Also when deciding on which certificate provider to use you should look at the phones manufacturer’s documentation to find one that is compatible with HTTPS provisioning.
Let’s Encrypt provides free certificates for a single domain and they also now support wildcard certificates.
Security problems are fixed as they are discovered and are updated for master and the latest release. Upgrades are considered an important part of keeping the server secure. Upgrades always need to be done on the operating system, FreeSWITCH and FusionPBX.
Latest install script will install FreeSWITCH packages by default. To upgrade them and operating system packages run the following commands.
apt-get update apt-get upgrade
If you need help upgrading safely please consider paid support.
New install mod_xml_rpc is not enabled by default. It is recommended to run a firewall on all FusionPBX servers. The latest Debian install script configures the firewall by default. However it is recommended to check to make sure it is installed and running.
Mod_xml_rpc allows running remote commands to FreeSWITCH. Ensure you have a firewall that is protecting the XML RPC port. Consider changing the XML RPC password. Advanced -> Settings page in the interface allows you to change the password or the port. At the very least do not allow public access to the XML RPC port.
The latest Debian install script installs iptables firewall which prevents public access to the mod_xml_rpc port. If you are not using a firewall on the server you should even if its protected by by an external firewall. Some uninformed co-worker could expose the server to the public internet at some point in the future. Multiple layers of security are considered best practice.
- XML RPC is secure by default for 2 reasons.
- The module is disabled by default.
- Install script firewalls XML RPC port 8787 and does not allow access to it by default outside of 127.0.0.1.
If you were to start the module and open port 8787 on the firewall you would want to set a really good password for it under Advanced -> Settings. It would be recommended to use a VPN such as OpenVPN to access XML RPC over port 8787 instead of opening port 8787 on the firewall.
Fail2ban is also used to protect SSH, FreeSWITCH, the web server as well as other services. You can view any IP addresses that have been blocked by Fail2ban with the following command.
Use strong passwords with SSH or even better use SSH keys for better protection of your servers.