FreePBX Security Best Practices

This article should include common steps to secure your FreePBX. Firewall setup, access controls, and basic network security as it regards FreePBX.


  • Keep your system updated (firmware) and patched for the latest security updates (FreePBX wiki - Updates).

  • Enable Fail2ban (FreePBX wiki - Intrusion Detection):

    • Whitelist authorized IPs.

  • Enable PBX Firewall (FreePBX wiki - Firewall):

    • Whitelist authorized IPs.

    • CRITICALLY IMPORTANT - set the zone to "Internet" for all interfaces that have or could have inbound untrusted traffic.

  • If you must provide access to SIP clients that can't be white-listed enable the Responsive feature in the PBX Firewall. If untrusted access is not necessary, disable Responsive.

  • Enable HTTPS only access (w/ corresponding certificate services) (FreePBX wiki - Certificate Management). Consider HTTP to HTTPS redirect (System Admin - Port Management#PortManagement-Forcehttps).

  • Use TLS / SRTP for encryption of signalling and media.

  • Asterisk SIP Settings (FreePBX wiki - Asterisk SIP Settings User Guide):

    • Set Allow Anonymous Inbound SIP Calls to NO. 

    • Set Allow SIP Guests to NO. 

  • Blacklist offensive IP Addresses manually (FreePBX wiki - Firewall Blacklist).

  • Use obscure port number other than 5060, etc for SIP. 

    • Configure trunk to use the new port.

    • Configure SIP peers/clients to the new port.

  • Use IP based authentication for your trunk provider (if supported).

  • No untrusted access to critical services such as admin GUI, SSH.

  • If possible, block untrusted access to user facing services such as UCP and SIP. If not possible enforce strong user passwords and ensure fail2ban is configured and working.

  • If your company does not make International calls then request SIP provider to disable International calling or implement a block of International calling within your PBX (or both) (FreePBX wiki - Outbound Routes Configuration Examples).

  • Awareness is your best defense. Review the Call Reports/log regularly.


Return to Documentation Home I Return to Sangoma Support