Cloud PBX Systems are replacing traditional PBXs in an accelerated way. However, this change brings an additional topic regarding the security of cloud PBX systems.
When choosing a Cloud PBX system or a PBX exposed to the internet, it is essential to consider the following security factors.
1. Does your PBX have a built-in Firewall?
2. Does your PBX have an Intruder Detection system (Fail2Ban)?
3. Can your PBX block access through a Geo-Firewall?
4. Is your PBX using the latest versions for their tools and Operating System?
Some PBX systems have only up to two of these attributes, making them less secure. This post will lay down the most critical aspects of your PBX security.
Your PBX must have the latest version of your Operating System and use tools that still have development support, which brings us to the following questions.
We make these questions given that most PBXs are based on Asterisk and use PHP and MariaDB on their platforms. They are also using less secure SSL certificates, using Self-Signed credentials.
A straightforward way to determine what PHP, MariaDB, and Operating System version your PBX uses are by running the following commands from the console.
To see the current PHP version
#> php -v
To see the current MariaDB version
#> mysql –version
To see the current version of the operating system (on CentOS)
#> cat /etc/redhat-release
Even if you are using the latest version of an operating system, you need to guarantee that your tools are updated to their latest version when you are in a production environment. It’s like having a triple-lock on our house’s front door but leaving a window open if you do not do this.
In the case of PHP, if you get a value of 7.1 or less, be very careful; your PBX is at high risk. For more details, you can visit the following link, https://www.php.net/supported-versions.php
The PHP developers remarked, “A release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to unpatched security vulnerabilities.”
PHP 5.6 got to its End of Life (EOL) on the 1st of January 2019, and PHP 5.4 on the 14th of April 2015.
If you get a value of 10.0 or less on MariaDB, your PBX will also be at risk. You can learn more about this here, https://endoflife.date/mariadb.
A comment from the MariaDB developers, “MariaDB 5.5 reached EOL also means that the MariaDB Foundation will no longer release new versions for MariaDB 5.5 or even fix security issues.” MariaDB version 5.5 got to its End of Life (EOL) on the 11th of April 2020.
Regarding the Operating Systems, the distros that use the Red Hat Enterprise version, version 7.5 has, reached its End of Life on the 30th of April 2020. You can learn more about this here, https://access.redhat.com/support/policy/updates/errata.
For those using CentOS, you can go to the following link to verify if your OS has reached its EOL, https://wiki.centos.org/About/Product.
Given that CentOS 7 will reach its End of Life by 2024, you can still use it with your PBX, but it would be wise to consult with the manufacturer if they plan to migrate to another Operating System.
To install an SSL certificate, it’s necessary or suggested to have a valid domain or subdomain to publish on the internet (FQDN, Fully Qualified Domain Name). If you don’t, your certificate cannot be verified and will not work as expected.
An example is when you do it with a Self-Signed certificated, where some browsers even reject them for security purposes. It would be if we used “just trust me” as a valid source.
VitalPBX is fully secure with a valid certificate and an HTTPS force connection. It’s a good practice since it adds additional security; however, we always must verify if we have the protection we require. Just go to the following page and make a test, https://www.ssllabs.com/ssltest/index.html.
If you get a result lower than “B,” we recommend the actions described in this article so your PBX is more secure.
If your PBX runs on versions that the developers no longer support, you are running a risk with your PBX. If any of the versions you are running have a security issue, the developer will not fix it.
We recommend you use the Whitelist on your Firewall sparingly to at least give your PBX web access. If you are not using a Whitelist on your Firewall to use SSH, you can change the port from 22 to any obscured number.
It’s an absolute need since the Fail2Ban tool may sometimes fail towards some powerful attacks. The PHP and MySQL versions are less important if you are using a Whitelist and are blocking everyone, except for a handful of users, from accessing your web server.
To modify Port 22, you can follow the steps below. (Valid for CentOS 7)
Once again, we recommend you be very cautious. It doesn’t matter how much you think or believe your PBX is secure. Verify that you have the latest supported versions by the developers, an integrated firewall, intruder detection, change your SSH port, and use Whitelists and a Geo-Firewall.
We’re thrilled to share a series of updates and improvements we’ve rolled out to ensure that your experience with our communication solutions is not only
The VitalPBX team is thrilled to announce the rollout of VitalPBX 4.1 R1, a significant update that brings cutting-edge features and improvements to your communication
PBX System Recognized for Industry Innovation Miami, Florida, 02/27/24 — VitalPBX announced today that TMC, a global, integrated media company, has named VitalPBX Unified Communications
VitalPBX provides a robust and scalable platform, which will allow you to manage your PBX in an easy and intuitive way.
