[How-to] Install & Secure FreePBX Distro (with commercial modules) on Google Compute Engine

When installing FreePBX Distro in the cloud using Google Compute Engine 

Step-by-step guide

  • Download FreePBX from https://www.freepbx.org/downloads/freepbx-distro

  • Download and install VirtualBox https://www.virtualbox.org/wiki/Downloads

  • Create new virtual Machine using VirtualBox:

    • Name:

    • Type: Linux

    • Version: Other Linux (64 bit)

    • Set memory

    • Create virtual hard drive now: VHD, Fixed size, Set the size (I recommend at least 30 G)

    • Select the VM, go to Setting >> Network >> Enable Network Adaptor >> Attach to NAT (PJSIP extensions seems to work)

    • Select (attach) the iso and click start

    • Set the (default) configuration, (or Enter, Enter, Enter)

    • Wait for the installation to finish (also may set the root password while the installation is running)

    • Reboot. Shutdown, remove the iso.

    • While VM is selected and Powered Off go to setting > Storage and release the iso

  • Go to console.cloud.google.com and create your first Project.

  • Go to Storage (left menu). Create Bucket and upload the VirtualBox VHD. Will take up to few hours.

  • In the meantime, we will secure the VM in the cloud:

    • Go to Compute Engine and create a VM instance of your choice (will be deleted) and select both checkboxes Allow HTTP traffic and Allow HTTPS traffic.

    • Delete the just created VM instance.

    • Go to VPC network >> Firewall rules. Restrict all rules with 0.0.0.0/0 to your trusted IPs by clicking on the rule then clicking Edit. Change Source IP ranges to your trusted IPs

    • Create new Firewall Rule and give it a name (sip). Under Target tags, type a tag name, e.g. sip. Under Specified protocols and ports enter “udp:5060; udp:5160; udp:10000-20000” (without the quotes and assuming default FreePBX settings). Under Source IP ranges, enter 0.0.0.0/0 (or a restricted range: your site(s), phones and SIP provider), then click Save.

  • Once Bucket upload is done, go to Compute Engine >> Images, Create an Image

  • Will get an error (but that will be OK). Go to Disks if things worked fine you will see one there. From the three dots "Create an instance".

Security:

When done you will have VM with working FreePBX Distro that can be used to install commercial modules. Let's harden the security of the VM:

  • By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To login from your prefered terminal of choice will need either allow root or better create a sudo user.

    • Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.

    • Go to GCP VM instance and click on the SSH

    • useradd example_user

    • passwd example_user

    • usermod -aG wheel example_user

    • sudo passwd root (if you like to change the password of your root)

    • If you want root login edit /etc/ssh/sshd_config to allow root login

    • Make sure to go back to the firewall rules and restrict SSH to your trusted IPs

    • Test if root / example_user are working.

  • Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.

  • Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.

  • Create a snapshot

  • Go to your assigned external IP and start configuring your FreePBX

Additionally I recommend:

  • Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).

  • Whitelist your IPs in Fail2ban, and Firewall.

  • Set email notification for when updates available.

  • If you have HTTPS setup, consider HTTP >> HTTPS redirect:

nano /etc/httpd/conf.d/redirect-443.conf

<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>

  • Monitoring access to your server. 

  • Add IP ranges for your Region IP ranges   (example 10.140.0.0/20) to your FreePBX: Setting >> Advance SIP Settings >> NAT Settings >> Local Networks

  • Install Logwatch (work best on new install).

  • Install Tripwire (work best on new install).

  • If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.

  • Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).

  • Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.

  • Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.

  • If you are not planning to make international calls >> create restricted route see Outbound Routes Configuration Examples

Backup and Restore:

  • Backup can be best done through Snapshots and can be done manually or on scheduled basis.

  • In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.

    • Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.

    • After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.

    • Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.

 

Suggested Workflow:

If you have to open your VM to the world 0.0.0.0/0 or change the firewall rules then you may see some attempts to access your FreePBX server. Once you get a notification alert from fail2ban or the access monitor script block the offensive IP addresses (Firewall > Services > Blacklist)

Logwatch is a neat way to look at when and who (user/IP) entered the server. Tripwire will tell if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.

Pre-incident tools:

Post-incident (auditing) tools

 

Return to Documentation Home I Return to Sangoma Support