[How-to] Install & Secure FreePBX Distro (with commercial modules) on Google Compute Engine

When installing FreePBX Distro in the cloud using Google Compute Engine 

Step-by-step guide

Security:

When done you will have VM with working FreePBX Distro that can be used to install commercial modules. Let's harden the security of the VM:

  • By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To login from your prefered terminal of choice will need either allow root or better create a sudo user.

    • Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.

    • Go to GCP VM instance and click on the SSH

    • useradd example_user

    • passwd example_user

    • usermod -aG wheel example_user

    • sudo passwd root (if you like to change the password of your root)

    • If you want root login edit /etc/ssh/sshd_config to allow root login

    • Make sure to go back to the firewall rules and restrict SSH to your trusted IPs

    • Test if root / example_user are working.

  • Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.

  • Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.

  • Create a snapshot

  • Go to your assigned external IP and start configuring your FreePBX

Additionally I recommend:

  • Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).

  • Whitelist your IPs in Fail2ban, and Firewall.

  • Set email notification for when updates available.

  • If you have HTTPS setup, consider HTTP >> HTTPS redirect:

nano /etc/httpd/conf.d/redirect-443.conf

<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>

  • Monitoring access to your server. https://community.freepbx.org/t/how-to-monitor-and-set-email-alert-for-unauthorized-access-to-freepbx-centos-server/59420

  • Add IP ranges for your Region IP ranges https://cloud.google.com/vpc/docs/vpc#ip-ranges  (example 10.140.0.0/20) to your FreePBX: Setting >> Advance SIP Settings >> NAT Settings >> Local Networks

  • Install Logwatch (work best on new install).

  • Install Tripwire (work best on new install).

  • If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.

  • Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).

  • Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.

  • Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.

  • If you are not planning to make international calls >> create restricted route see Outbound Routes Configuration Examples

Backup and Restore:

  • Backup can be best done through Snapshots and can be done manually or on scheduled basis.

  • In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.

    • Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.

    • After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.

    • Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.

 

Suggested Workflow:

If you have to open your VM to the world 0.0.0.0/0 or change the firewall rules then you may see some attempts to access your FreePBX server. Once you get a notification alert from fail2ban or the access monitor script block the offensive IP addresses (Firewall > Services > Blacklist)

Logwatch is a neat way to look at when and who (user/IP) entered the server. Tripwire will tell if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.

Related articles/resources:

Pre-incident tools:

Post-incident (auditing) tools

 

Return to Documentation Home I Return to Sangoma Support