[How-to] Install & Secure FreePBX Distro (with commercial modules) on Google Compute Engine

When installing FreePBX Distro in the cloud using Google Compute Engine 

Step-by-step guide

• Download FreePBX from https://www.freepbx.org/downloads/freepbx-distro

• Download and install VirtualBox https://www.virtualbox.org/wiki/Downloads

• Create new virtual Machine using VirtualBox:

  • Name:

  • Type: Linux

  • Version: Other Linux (64 bit)

  • Set memory

  • Create virtual hard drive now: VHD, Fixed size, Set the size (I recommend at least 30 G)

  • Select the VM, go to Setting >> Network >> Enable Network Adaptor >> Attach to NAT (PJSIP extensions seems to work)

  • Select (attach) the iso and click start

  • Set the (default) configuration, (or Enter, Enter, Enter)

  • Wait for the installation to finish (also may set the root password while the installation is running)

  • Reboot. Shutdown, remove the iso.

  • While VM is selected and Powered Off go to setting > Storage and release the iso

• Go to console.cloud.google.com and create your first Project.

• Go to Storage (left menu). Create Bucket and upload the VirtualBox VHD. Will take up to few hours.

• In the meantime, we will secure the VM in the cloud:

  • Go to Compute Engine and create a VM instance of your choice (will be deleted) and select both checkboxes Allow HTTP traffic and Allow HTTPS traffic.

  • Delete the just created VM instance.

  • Go to VPC network >> Firewall rules. Restrict all rules with 0.0.0.0/0 to your trusted IPs by clicking on the rule then clicking Edit. Change Source IP ranges to your trusted IPs

  • Create new Firewall Rule and give it a name (sip). Under Target tags, type a tag name, e.g. sip. Under Specified protocols and ports enter “udp:5060; udp:5160; udp:10000-20000” (without the quotes and assuming default FreePBX settings). Under Source IP ranges, enter 0.0.0.0/0 (or a restricted range: your site(s), phones and SIP provider), then click Save.

• Once Bucket upload is done, go to Compute Engine >> Images, Create an Image

  • Name

  • Source: Virtual disk (VMDK,VHD)

  • Cloud Storage file: (select the uploaded VHD)

  • Operating system on virtual disk: CentOS 7

  • Install guest packages: Checked

  • Location: Select the zone best for your need

    • https://cloud.google.com/compute/docs/regions-zones/

    • https://cloud.google.com/solutions/best-practices-compute-engine-region-selection

    • http://www.gcping.com/

  • Create (may take 1-2 hours)

• Will get an error (but that will be OK). Go to Disks if things worked fine you will see one there. From the three dots "Create an instance".

Security:

When done you will have VM with working FreePBX Distro that can be used to install commercial modules. Let's harden the security of the VM:

• By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To login from your prefered terminal of choice will need either allow root or better create a sudo user.

  • Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.

  • Go to GCP VM instance and click on the SSH

  • useradd example_user

  • passwd example_user

  • usermod -aG wheel example_user

  • sudo passwd root (if you like to change the password of your root)

  • If you want root login edit /etc/ssh/sshd_config to allow root login

  • Make sure to go back to the firewall rules and restrict SSH to your trusted IPs

  • Test if root / example_user are working.

• Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.

• Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.

• Create a snapshot

• Go to your assigned external IP and start configuring your FreePBX

Additionally I recommend:

• Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).

• Whitelist your IPs in Fail2ban, and Firewall.

• Set email notification for when updates available.

• If you have HTTPS setup, consider HTTP >> HTTPS redirect:

nano /etc/httpd/conf.d/redirect-443.conf

<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>

• Monitoring access to your server. [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server

• Add IP ranges for your Region IP ranges https://cloud.google.com/vpc/docs/vpc#ip-ranges  (example 10.140.0.0/20) to your FreePBX: Setting >> Advance SIP Settings >> NAT Settings >> Local Networks

• Install Logwatch (work best on new install).

• Install Tripwire (work best on new install).

• If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.

• Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).

• Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.

• Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.

• If you are not planning to make international calls >> create restricted route see https://wiki.freepbx.org/display/FPG/Outbound+Routes+Configuration+Examples#OutboundRoutesConfigurationExamples-2.RouteName:Restricted

Backup and Restore:

• Backup can be best done through Snapshots and can be done manually or on scheduled basis.

• In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.

  • Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.

  • After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.

  • Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.

Suggested Workflow:

If you have to open your VM to the world 0.0.0.0/0 or change the firewall rules then you may see some attempts to access your FreePBX server. Once you get a notification alert from fail2ban or the access monitor script block the offensive IP addresses (Firewall > Services > Blacklist)

Logwatch is a neat way to look at when and who (user/IP) entered the server. Tripwire will tell if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.

Related articles/resources:

Pre-incident tools:

• System Updates

• Intrusion Detection

• Firewall

• SSL Certificate Management

• FreePBX VPN Server

• [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server
  

Post-incident (auditing) tools

• Logwatch: https://sourceforge.net/projects/logwatch

• Tripwire: https://github.com/Tripwire/tripwire-open-source

• Rootkit Hunter: http://rkhunter.sourceforge.net/

• [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server