We’ve lost count of the number of FreePBX® security breaches that were directly attributable to vulnerabilities in the FreePBX web interface. Suffice it to say, it was the reason that PBX in a Flash and Incredible PBX instituted the Travelin’ Man 3 firewall a decade ago hiding the FreePBX GUI from everyone except those on a whitelist controlled by the PBX administrator.
More than a decade later, Sangoma® finally introduces Multi-Factor Authentication (MFA) with two major gotchas. First, you have to pay for it. And second, it’s only available using Sangoma’s proprietary FreePBX platform rather than the open source release. There are so many things wrong with this greedy approach that we really don’t know where to begin.
For openers, offering a commercial MFA solution for a supposedly open source product is fundamentally wrong. Think of it this way. You only offer a safe version of your free product if users pay for it. Next, it demonstrates a fundamental misunderstanding of why two-factor authentication (2FA) and MFA have become ubiquitous. These tools provide an extra layer of security where users have no control over the underlying code of the application. For example, you don’t own PayPal or your bank’s platform so 2FA and MFA provide an extra layer of security for customers attempting to log into their accounts, to prove they are who they say they are using a previously registered cellphone or email account.
Contrast this scenario to those deploying FreePBX who have complete control of the underlying operating system and the FreePBX code itself. MFA doesn’t keep a disgruntled employee from gaining access to a server using an administrator password. MFA also provides zero protection against the myriad of security holes for which FreePBX has become infamous. In short, 2FA and MFA have a single task: allowing users to prove who they say they are by confirming their identity through an external source they control.
We believe Incredible PBX has always offered a better security solution for those that control their own PBX platforms. First, the Travelin’ Man 3 firewall lets you define exactly who can see your FreePBX GUI on the public Internet. If a user isn’t in the TM3 whitelist, they not only can’t login to the FreePBX GUI, they can’t even see it. Second, for the truly paranoid, you can add a third layer of security to the TM3 firewall and FreePBX authentication. Apache offers an additional login threshold for those seeking web access to any application over which the administrator has control. With Incredible PBX, it’s as simple as adding an additional freepbx.conf file in /etc/pbx/httpdconf and restarting Apache:
#Password protect /var/www/html/admin <directory /var/www/html/admin> AuthType Basic AuthName "Restricted Area" AuthUserFile /etc/pbx/wwwpasswd Require valid-user </directory>
An administrator then has control over server access with three layers of security: (1) TM3 firewall access using the add-ip and add-fqdn scripts in /root, (2) Apache access using the apache-pw-change script, and (3) FreePBX GUI access using the admin-pw-change script.
We believe this three-tier, administrator-managed security model offers better and safer protection not only for every user of the FreePBX platform but also for the platform itself. Most importantly, it is and always has been FREE! Start by choosing an Incredible PBX platform that best meets your requirements by visiting the Incredible PBX Wiki.
Originally published: Monday, December 5, 2022
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.