First, let’s look at various recommendations we present to make your VitalPBX installation more secure.
This section can work as a checklist of various configurations you can follow when setting up your VitalPBX installation.
- Never use the same username and password on your extensions.
- It is quite common to see instances where the username and password for extensions are the same as the extension number. This might make remembering the usernames and passwords easier when setting up your devices, but it is the easiest way to get bad actors registering on your PBX
system. The bad actors can then start placing a massive number of phone calls. - What we recommend, and taking advantage of VitalPBX’s separation of the extension number and devices, is to use unique usernames and strong passwords for your extensions. You can make the device’s user anything you like, instead of the extension number. VitalPBX also generates a random strong password automatically, so we recommend using this instead of a repeating
password for all your devices.
- Use the “Permit” and “Deny” options for your devices.
If possible, you should limit the networks that can reach the registration for your devices. In the case you know that a device will only register from a specific network address, you can use the Permit and Deny options when configuring your devices. Permit will only allow devices from the defined network address or segment to register. Deny will disallow devices from the defined segment to register.
- Limit extension registration using a Bind Address.
The Bind Address option will also limit who can register to your extensions. With this option, you can limit the network addresses or segments that can register to your extension devices.
- Change the default ports for the services you are using.
Default ports are one of the most common ways to have your system attacked by online scanners. By changing these ports to another value, bot scanners will have a harder time detecting open spots in your VitalPBX Server. You can change these ports on the VitalPBX firewall. Remember that you also need to change the ports on the Technology Settings module for PJSIP and IAX2. The most common ports to change are PJSIP, IAX2, and SSH.
- Disable the ports you are not using.
Speaking of ports, if you are not using a service, disabling the port is a better option than changing it to something else. For example, if you are not using IAX2, disable the port on the VitalPBX firewall. This is one less way to detect an open spot by bot scanners.
- Don’t route inbound calls to very permissive contexts.
When routing incoming calls make sure that you are limiting the incoming calls to only the intended destinations. Using the right Class of Service can help you limit the destination options that someone can reach in a context. For example, don’t have an IVR with a permissive Class of Service. Create one that limits the options to the destinations you intend. If you are using a Custom Context, only allow dialing to a specific destination.
- Always have the Firewall active and try to place your PBX behind a Firewall
and/or SBC.
The firewall included in VitalPBX is set to block unwanted access to your PBX. Having it enabled at all times will deter attempts to breach the server. Having an external firewall is another good way to manage the network routes and permissions at a network level to limit access to the VitalPBX server. Finally, an SBC or Session Border Controller is a good way to externally filter registration and other type of events from reaching your VitalPBX server.
- Use Fail2Ban to automatically detect malicious attempts to enter your PBX.
Using the Fail2Ban application allows you to easily jail malicious attempts towards your VitalPBX server. Fail2Ban will block the connection from an IP Address after multiple failed attempts to access the server. This can be through SSH, PJSIP/IAX2 Registration, or web login. You can set the number of failed attempts and for how long the IP address will be blocked.
Following these suggestions will allow you to have a more secure server and keep your data and work safely. These are ways that you can secure your server out of the box. In the following lessons, we will look into more ways to make your server even safer.
