How to Configure Remote Extensions inside FreePBX
Remote extensions allows you to have connections outside of your PBX connect securely to your network. One of the biggest issues of having people outside of your network connecting to your PBX is security. Here we will make existing extensions secure for the use of remote connections.
- The easiest way to setup external extensions is through the Extensions tab under the Device Options under the deny/permit rule. Here you will set the ACL (Access List). Setting up the ACL is easiest when done per extension, rather than for the whole server.
- If you only want to permit one person's IP Address, simply leave the deny as is, and change the permit to the IP Address of the device along with the wildcard mask. This will allow that extension to only be registered with that IP Address. Make sure to enter the public IP Address for the device,not the internal. It may also be useful to know the MAC Address of the device, and keep a copy of inside the Asterisk Server. After making changes Submit changes, then make sure to Apply Configuration Changes.
- After that has been completed the extension will be locked down to that IP Address.Setting up ACL is not necessary for the use of objects inside the network.
Added security can be setup with Fail2ban. Fail2Ban is used to stop intrusion detection. Fail2ban is typically setup to ban addresses not set in permit for devices.
- First start by changing the Fail2ban settings. To setup Fail2ban you will need access to the command line, which can be done with any SSH client. You can enter the commands inside the SSH Client with any text editor such as nano, vi, Emacs. Nano will most likely be the standard editor.
- If you do not have root access, you may need to put sudo in front of the command. There are a few automatic rules set inside the jail.conf file.
- To begin make sure that you do not ban your own IP Address or your provider while making changes to the ignoreip item.
- Changing the bantime can help to lock people out for longer periods of time.
- Keep the findtime the same, the maxretry is for the amount of times a retry can be done inside the findtime.
- You can add your email address to receive notifications of any break-in's by changing the sender, with some information about the hacker.
- The main item is asterisk-iptables which is modified every year, you can see these changes inside the RSS feed after you have logged in to your PBX, on the left hand side. After making changes be sure to save.
- After making changes be sure to service fail2ban restart.
- BE SURE TO KEEP NOTES OF External Extensions setup, so that you do not block them in the future. Also if an extensions changes their IP Address, make sure you know so you do not block them out.