Sākums Izpētīt Palīdzība
Pierakstīties
fusionpbx
/
fusionpbx-docs
spogulis no https://github.com/fusionpbx/fusionpbx-docs.git
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: 05759d571d
Atzari Tagi
fusionpbx-docs
/
source
/
getting_started
/
security.rst

security.rst 4.0 KB
Vēsture Neapstrādāts

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. ***********
    2. 

  2. Security
    3. 

  3. ***********
    4. 

  4. 

  5. Similar to medieval fortifications it is recommended to provide your servers with multiple layers of defenses. Be sure to use Firewalls, Strong passwords, SSH, and make sure your servers are kept up to date for all software being used. This inlcudes the operating system, FreeSWITCH and FusionPBX.
    6. 

  6. 

  7. 

  8. FusionPBX
    9. 

  9. ^^^^^^^^
    10. 

  10. The latest Debian install script configures IPTables firewall for you. FusionPBX extensions set strong passwords for you by default. You can increase the password complexity using settings in Advanced -> Default Settings to increase the length of the passwords that are generated by default.
    11. 

  11. 

  12. 

  13. Firewall
    14. 

  14. ^^^^^^^^
    15. 

  15. Although the new install script configured IPTables for you it is recommended that you review the settings. On Debian and Ubuntu you can check your firewall with the following command.
    16. 

  16. 

  17. ::
    18. 

  18. 

  19.  iptables -L
    20. 

  20. 

  21. 

  22. SSL / TLS
    23. 

  23. ^^^^^^^^^^
    24. 

  24. 

  25. SSL and TLS are very necessary in today's internet applications from VOIP to Websites. FusionPBX by default uses a self signed certificate. However you can use certificate providers where you can purchase certificates and there are free options as well. With domain based multi-tenant wildcard certificates can be useful. Also when deciding on which certificate provider to use you should look at the phones manufacturers documentation to find one that is compatible HTTPS provisioning.
    26. 

  26. 

  27. `Let's Encrypt`_ provides free certificates for a single domain but they don't support wildcard certificates.
    28. 

  28. 

  29. * `Setup Let's Encrypt with FusionPBX`_ 
    30. 

  30. 

  31. 

  32. 

  33. Upgrade
    34. 

  34. ^^^^^^^^
    35. 

  35. 

  36. Security problems are fixed as they are discovered and are updated for master and the latest release. Upgrades are considered an important part of keeping the server secure. `Upgrades`_ always need to be done on the operating system, FreeSWITCH and FusionPBX. On Debian and Ubuntu you can check your firewall with the following command.
    37. 

  37. 

  38. Latest install script will install FreeSWITCH packages by default to upgrade them and operating system packages run the following commands.
    39. 

  39. 

  40. ::
    41. 

  41. 

  42.  apt-get update
    43. 

  43.  apt-get upgrade
    44. 

  44. 

  45. 

  46. If you need help upgrading safely please consider `paid support`_.
    47. 

  47. 

  48. 

  49. XML RPC
    50. 

  50. ^^^^^^^^
    51. 

  51. 

  52. New install mod_xml_rpc is not enabled by default. It is recommended to run a firewall on all FusionPBX servers. The latest debian install script configures the firewall by default. However it is recommended to check to make sure it is installed and running.
    53. 

  53. 

  54. Mod_xml_rpc allows running remote commands to FreeSWITCH. Ensure you have afirewall that is protecting the XML RPC port. Consider changing the XML RPC password. At very least do not allow access to the public. Advanced -> Settings page in the interface allows you to change the password or the port. Do not allow public access to the XML RPC port.
    55. 

  55. 

  56. Latest Debian install script installs `iptables`_ firewall which prevents public access to the mod_xml_rpc port. If you are not using a firewall on the server you should even if its protected by by an external firewall. Some not informed co-worker could expose the server to the public internet at some point in the future. Multiple layers of security is considered best practice.
    57. 

  57. 

  58. 

  59. Fail2ban
    60. 

  60. ^^^^^^^^
    61. 

  61. 

  62. Fail2ban is also used to protect SSH, FreeSWITCH, the web server as well as other services. 
    63. 

  63. You can view the IP addresses blocked by Fail2ban with the following command.
    64. 

  64. 

  65. ::
    66. 

  66. 

  67.  iptables -L
    68. 

  68. 

  69. 

  70. SSH
    71. 

  71. ^^^^^^^^
    72. 

  72. 

  73. Use strong passwords with SSH or even better use SSH keys for better protection of your servers.
    74. 

  74. 

  75. 

  76. 

  77. .. _Upgrade: /en/latest/getting_started/advanced/upgrade.html
    78. 

  78. .. _Upgrades: /en/latest/getting_started/advanced/upgrade.html
    79. 

  79. .. _link: https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx
    80. 

  80. .. _paid support: http://www.fusionpbx.com
    81. 

  81. .. _firewall: /en/latest/getting_started/iptables.html#iptables
    82. 

  82. .. _iptables: /en/latest/getting_started/iptables.html#iptables
    83. 

  83. .. _Verto Communicator: https://freeswitch.org/confluence/display/FREESWITCH/Verto+Communicator
    84. 

  84. .. _Setup Let's Encrypt with FusionPBX: /en/latest/getting_started/lets_encrypt.html
    85. 

  85. .. _Let's Encrypt: https://letsencrypt.org/docs
    86.