How to Secure Your PBX Phone System?
Cloud PBX Systems are replacing traditional PBXs in an accelerated way. However, this change brings an additional topic regarding the security of cloud PBX systems.
When choosing a Cloud PBX system or a PBX exposed to the internet, it is essential to consider the following security factors.
1. Does your PBX have a built-in Firewall?
2. Does your PBX have an Intruder Detection system (Fail2Ban)?
3. Can your PBX block access through a Geo-Firewall?
4. Is your PBX using the latest versions for their tools and Operating System?
Some PBX systems have only up to two of these attributes, making them less secure. This post will lay down the most critical aspects of your PBX security.
Update Your Operating System and Tools
Your PBX must have the latest version of your Operating System and use tools that still have development support, which brings us to the following questions.
- What PHP version does your PBX use?
- What is the version of MariaDB (MySQL) that your PBX use?
- How secure is your SSL connection?
We make these questions given that most PBXs are based on Asterisk and use PHP and MariaDB on their platforms. They are also using less secure SSL certificates, using Self-Signed credentials.
A straightforward way to determine what PHP, MariaDB, and Operating System version your PBX uses are by running the following commands from the console.
To see the current PHP version
#> php -v
To see the current MariaDB version
#> mysql –version
To see the current version of the operating system (on CentOS)
#> cat /etc/redhat-release
Even if you are using the latest version of an operating system, you need to guarantee that your tools are updated to their latest version when you are in a production environment. It’s like having a triple-lock on our house’s front door but leaving a window open if you do not do this.
In the case of PHP, if you get a value of 7.1 or less, be very careful; your PBX is at high risk. For more details, you can visit the following link, https://www.php.net/supported-versions.php
The PHP developers remarked, “A release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities.”
PHP 5.6 got to its End of Life (EOL) on the 1st of January 2019, and PHP 5.4 on the 14th of April 2015.
If you get a value of 10.0 or less on MariaDB, your PBX will also be at risk. You can learn more about this here, https://endoflife.date/mariadb.
A comment from the MariaDB developers, “MariaDB 5.5 reached EOL also means that the MariaDB Foundation will no longer release new versions for MariaDB 5.5 or even fix security issues.” MariaDB version 5.5 got to its End of Life (EOL) on the 11th of April 2020.
Regarding the Operating Systems, the distros that use the Red Hat Enterprise version, version 7.5 has, reached its End of Life on the 30th of April 2020. You can learn more about this here, https://access.redhat.com/support/policy/updates/errata.
For those using CentOS, you can go to the following link to verify if your OS has reached its EOL, https://wiki.centos.org/About/Product.
Given that CentOS 7 will reach its End of Life by 2024, you can still use it with your PBX, but it would be wise to consult with the manufacturer if they plan to migrate to another Operating System.
Install an SSL Certificate
To install an SSL certificate, it’s necessary or suggested to have a valid domain or subdomain to publish on the internet (FQDN, Fully Qualified Domain Name). If you don’t, your certificate cannot be verified and will not work as expected.
An example is when you do it with a Self-Signed certificated, where some browsers even reject them for security purposes. It would be if we used “just trust me” as a valid source.
VitalPBX is fully secure with a valid certificate and an HTTPS force connection. It’s a good practice since it adds additional security; however, we always must verify if we have the protection we require. Just go to the following page and make a test, https://www.ssllabs.com/ssltest/index.html.
If you get a result lower than “B,” we recommend the actions described in this article so your PBX is more secure.
How secure is your PBX against an Attack?
If your PBX runs on versions that the developers no longer support, you are running a risk with your PBX. If any of the versions you are running have a security issue, the developer will not fix it.
We recommend you use the Whitelist on your Firewall sparingly to at least give your PBX web access. If you are not using a Whitelist on your Firewall to use SSH, you can change the port from 22 to any obscured number.
It’s an absolute need since the Fail2Ban tool may sometimes fail towards some powerful attacks. The PHP and MySQL versions are less important if you are using a Whitelist and are blocking everyone, except for a handful of users, from accessing your web server.
To modify Port 22, you can follow the steps below. (Valid for CentOS 7)
- Connect to your server via SSH or directly to the console as root.
- Edit the file, “/etc/ssh/sshd_config” using your preferred editor.
- Locate the line “Port 22” and change the number 22 for your desired number.
- Delete the Pound “#” sign at the beginning of that line (if it exists).
- Save the file and exit.
- Restart the “sshd” service, #> systemctl restart sshd.
- Remember to configure on your server firewall the new SSH Port.
Once again, we recommend you be very cautious. It doesn’t matter how much you think or believe your PBX is secure. Verify that you have the latest supported versions by the developers, an integrated firewall, intruder detection, change your SSH port, and use Whitelists and a Geo-Firewall.
Secure your PBX Today with These Actions
- Keep your OS updated to the latest version. Include all security patches.
- Have the latest version and security updates of Asterisk, PHP, and MariaDB.
- Always keep your Firewall active.
- Always use the Intruder Detection System (Fail2Ban).
- Use a Geo-Firewall to block unsolicited requests from entire countries you have no business with.
- Use complex passwords while creating extensions and users.
- If you are going to publish your PBX to the internet, we recommend you change the default ports for PJSIP, SIP, and SSH.
- To improve your security, you can use OpenVPN instead. The certificates can be used with popular SIP Phone Devices like Grandstream, Yealink, Fanvil, Alcatel-Lucent, and HTek.
- You must use a Valid Domain Name or FQDN, a Fully Qualified Domain Name, and make the necessary tests to validate you don’t have any security issues.
- Finally, check your CDR constantly to verify that your PBX does not have any unknown outgoing calls you don’t recognize.