How to evaluate your PBX security for Threats and Attacks?

PBX systems facilitate seamless communication for businesses in today’s world. However, with the growing sophistication of cyber threats, the security of PBX systems has become a major concern. Securing your PBX keeps data safe and prevents unauthorized access to your communication.

We’ll examine PBX security, including threats and consequences of attacks, and ways to strengthen your PBX security. We’ll learn how terrible actors attack PBX systems with toll fraud, weak passwords, denial-of-service attacks, and exploiting outdated software.

Drawing on industry best practices and the expertise of security professionals, we will present a comprehensive guide on how to bolster the security of your PBX.

The topics will cover implementing access controls, encryption, security audits, and being aware of new threats.

By understanding the risks and adopting proactive security measures, businesses can ensure that their PBX remains a resilient and reliable communication platform in the face of ever-evolving cyber threats.

Currently, cloud PBXs are rapidly replacing traditional PBXs, but this transition poses an additional concern for the security of cloud PBXs.

How do you evaluate your PBX security?

When we select a PBX in the cloud or that will be exposed to the Internet, it is very important to consider the following security features.

  1. Does your PBX have a Firewall?
  2. Does your PBX have intrusion blocking (fail2ban)?
  3. Is your PBX blocked by Geo Firewall?
  4. Does your PBX have the latest versions of the libraries used and operating system? 

 

Some PBXs only have 2 of these three features, which makes them less secure.

It is also very important that your PBX have the latest OS updates and use applications that are supported by the developers, which leads us to the following questions.

  • What version of PHP does your PBX have?
  • What version of Mariadb (MySql) does your PBX have?
  • How secure is your SSL connection?

 

We ask these two questions because most Asterisk-based PBXs use PHP and Mariadb in their platforms.

A very simple test to determine what version your PBX has is to go to the console and run the following commands:

To see the PHP versión

#> php -v

To see the version of Mariadb

#> mysql –version

For OS version (For Centos)

#> cat /etc/readhat-release

No matter how up-to-date your operating system is, it is always necessary to have the supported versions of the work environment up-to-date. This is like in a house we close the door very well, but we leave a window open.

If in the case of PHP it returns a value less than or equal to 7.4, be very careful, your PBX is at high risk. To see more details about it, visit the following link:

https://www.php.net/supported-versions.php

Note from the PHP developers

“A release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities.”

PHP 7.4 reached its End of Life (EOL) on November 28, 2022. 

If in the case of MariaDB it returns a value less than or equal to 10.0, be very careful, your PBX is at high risk. To see more details about it, visit the following link:

https://endoflife.date/mariadb

Note from the MariaDB developers:

” MariaDB 5.5 reached EOL also means that the MariaDB Foundation will no longer release new versions for MariaDB 5.5 or even fix security issues. “

Mariadb 5.5 reached its End of Life (EOL) on April 11, 2020. 

For Operating Systems

CentOS Linux 7 will reach end of life (EOL) on June 30, 2024.

See following link:

https://www.redhat.com/en/topics/linux/centos-linux-eol

Since Centos 7 is coming to an end in 2024, you can use PBXs based on Centos 7, but it would be good to check with the manufacturer if they have plans to migrate to another operating system.

SSL Certificate Installation

In order to install an SSL certificate, it is necessary or recommended to have a valid domain or subdomain published on the Internet, otherwise the certificate cannot be verified and will not work as expected.

On the other hand, we tend to believe that our PBX is secure if we install a certificate and force the connection to HTTPS.

SSL Security Test

This is a good practice since it adds an additional touch of security, however, we must always verify if we really have the security we are looking for. For which we go to the next page and perform the test.

https://www.ssllabs.com/ssltest/index.html

If you get a result lower than B, we recommend you follow the instructions explained there to make your PBX more secure.       

How secure is your PBX against attack?

If your PBX has versions that are no longer supported by its developers, definitely every day that passes your PBX runs a risk, if any of these versions had a security problem, it would not be repaired by the developer.

We strongly recommend using a firewall whitelist at least for web access. If you don’t use a firewall whitelist for SSH, then changing the port from 22 to an obscure number is an absolute must because sometimes Fail2Ban is not effective in blocking attacks from some high powered servers like Amazon. PHP and MySQL versions are less important if you have a whitelist that completely blocks all but a handful of trusted users from web access to your server.

To modify Port 22 follow the steps below:

  1. Connect to your server with SSH as root.
  2. Edit the /etc/ssh/sshd_config file using your favorite text editor.
  3. Locate the “Port 22” line and change 22 to the desired port number (The default SSH port is 22).
  4. Delete the “#” sign at the beginning of the line (if it exists).
  5. Save the file and exit.
  6. Restart the sshd service: systemctl restart sshd
  7. Remember to configure the new SSH Port in your server’s firewall

 

Once again we recommend that you be very careful, even if they tell you that your PBX is secure, check that it has versions supported by developers, integrated firewall, intruder blocking, change the SSH port and of course use white lists and Geo Firewall.

Final recommendations

  1. Keep the OS updated with the latest versions since these include security patches.
  2. Keep the version of Asterisk updated since you constantly include security improvements.
  3. Keep the version of PHP updated, always try to have a version supported by the developer.
  4. Keep the version of MariaDB updated, always try to have a version supported by the developer.
  5. Always keep your Firewall active.
  6. Keep the Intrusion detection active all the time.
  7. Use a Geo Firewall to block requests from countries that are not expected to have a connection to your PBX.
  8. Use complex passwords when creating extensions or any system user.
  9. If you are going to publish your PBX on the Internet, we recommend that you change the default ports for the PJSIP and SIP devices as well as change the SSH port.
  10. To improve security you can use OpenVPN, the certificates created can be used in most IP phones such as Grandstream, Yealink, Fanvil, Alcatel-Lucent, Htek among others.
  11. You must always install a certificate with a valid domain and make the necessary tests that it does not have any security issue.
  12. On certain occasions it is recommended to use an SBC so that our PBX is not directly exposed. You can use Kamailio or OpenSIPS.
  13. Encryption: Use encryption to protect both data transmission and sensitive information stored on the PBX.
  14. Backup and Disaster Recovery: Regularly back up the PBX configuration and other critical data. Have a disaster recovery plan in place to restore the PBX in case of severe incidents.
  15. Protection against Denial of Service (DDoS) Attacks: Consider implementing solutions to protect your PBX against denial of service attacks that could affect its availability. And last but not least.
  16. Monitoring and Activity Logging: Implement a monitoring system to continuously monitor activity on the PBX and log potential security incidents. Constantly check the CDRs of your PBX to verify that you do not have calls that you do not recognize.

Remember, security is an ongoing process. Stay informed about the latest threats and security best practices to ensure that your PBX in the cloud is adequately protected.

Our Latest Post