[How-to] Install & Secure FreePBX Distro (with commercial modules) on Google Compute Engine
When installing FreePBX Distro in the cloud using Google Compute Engine
Step-by-step guide
Download FreePBX from https://www.freepbx.org/downloads/freepbx-distro
Download and install VirtualBox https://www.virtualbox.org/wiki/Downloads
Create new virtual Machine using VirtualBox:
Name:
Type: Linux
Version: Other Linux (64 bit)
Set memory
Create virtual hard drive now: VHD, Fixed size, Set the size (I recommend at least 30 G)
Select the VM, go to Setting >> Network >> Enable Network Adaptor >> Attach to NAT (PJSIP extensions seems to work)
Select (attach) the iso and click start
Set the (default) configuration, (or Enter, Enter, Enter)
Wait for the installation to finish (also may set the root password while the installation is running)
Reboot. Shutdown, remove the iso.
While VM is selected and Powered Off go to setting > Storage and release the iso
Go to console.cloud.google.com and create your first Project.
Go to Storage (left menu). Create Bucket and upload the VirtualBox VHD. Will take up to few hours.
In the meantime, we will secure the VM in the cloud:
Go to Compute Engine and create a VM instance of your choice (will be deleted) and select both checkboxes Allow HTTP traffic and Allow HTTPS traffic.
Delete the just created VM instance.
Go to VPC network >> Firewall rules. Restrict all rules with 0.0.0.0/0 to your trusted IPs by clicking on the rule then clicking Edit. Change Source IP ranges to your trusted IPs
Create new Firewall Rule and give it a name (sip). Under Target tags, type a tag name, e.g. sip. Under Specified protocols and ports enter “udp:5060; udp:5160; udp:10000-20000” (without the quotes and assuming default FreePBX settings). Under Source IP ranges, enter 0.0.0.0/0 (or a restricted range: your site(s), phones and SIP provider), then click Save.
Once Bucket upload is done, go to Compute Engine >> Images, Create an Image
Name
Source: Virtual disk (VMDK,VHD)
Cloud Storage file: (select the uploaded VHD)
Operating system on virtual disk: CentOS 7
Install guest packages: Checked
Location: Select the zone best for your need
Create (may take 1-2 hours)
Will get an error (but that will be OK). Go to Disks if things worked fine you will see one there. From the three dots "Create an instance".
Security:
When done you will have VM with working FreePBX Distro that can be used to install commercial modules. Let's harden the security of the VM:
By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To login from your prefered terminal of choice will need either allow root or better create a sudo user.
Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.
Go to GCP VM instance and click on the SSH
useradd example_user
passwd example_user
usermod -aG wheel example_user
sudo passwd root (if you like to change the password of your root)
If you want root login edit /etc/ssh/sshd_config to allow root login
Make sure to go back to the firewall rules and restrict SSH to your trusted IPs
Test if root / example_user are working.
Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.
Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.
Create a snapshot
Go to your assigned external IP and start configuring your FreePBX
Additionally I recommend:
Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).
Whitelist your IPs in Fail2ban, and Firewall.
Set email notification for when updates available.
If you have HTTPS setup, consider HTTP >> HTTPS redirect:
nano /etc/httpd/conf.d/redirect-443.conf
<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn</VirtualHost>
Monitoring access to your server. [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server
Add IP ranges for your Region IP ranges https://cloud.google.com/vpc/docs/vpc#ip-ranges (example 10.140.0.0/20) to your FreePBX: Setting >> Advance SIP Settings >> NAT Settings >> Local Networks
Install Logwatch (work best on new install).
Install Tripwire (work best on new install).
If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.
Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).
Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.
Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.
If you are not planning to make international calls >> create restricted route see Outbound Routes Configuration Examples
Backup and Restore:
Backup can be best done through Snapshots and can be done manually or on scheduled basis.
In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.
Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.
After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.
Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.
Suggested Workflow:
If you have to open your VM to the world 0.0.0.0/0 or change the firewall rules then you may see some attempts to access your FreePBX server. Once you get a notification alert from fail2ban or the access monitor script block the offensive IP addresses (Firewall > Services > Blacklist)
Logwatch is a neat way to look at when and who (user/IP) entered the server. Tripwire will tell if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.
Related articles/resources:
Pre-incident tools:
Post-incident (auditing) tools
Tripwire: GitHub - Tripwire/tripwire-open-source: Open Source Tripwire®
Rootkit Hunter: The Rootkit Hunter project
[HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server