RECOMMENDATIONS iptables on PIAF vs Incredible PBX

[Albert S]

What makes Incredible PBX more secure (if it is, even a bit) than PIAF?

I saw where Ward stated a sentence like this "-Incredible PBX is locked down, PIAF is not" what could he be meaning with this?

When I look at both IP tables I see common ports open, so I am just trying to figure out on the security perspective to see if there is any difference on default.

Question two :
I know that you get prompted for Travelin' man installation at the end of Incredible PBX installation, once TM applied to Incredible PBX, UDP 5060, 10000-20000 and TCP 83 still needs to be open to the internet correct?

 

[wardmundy]

Travelin' Man 3 is part of the Incredible PBX default install. It's not part of a PIAF install unless you manually add it. TM3 adds a WhiteList firewall that PIAF does not have so it is more secure.

If you see "common ports open" on your Incredible PBX installation, then you did not install TM3, and it is no more secure than the default PIAF install.

No ports need to be opened on your hardware-based firewall unless you have external phones attempting to register to your Asterisk server. In this case, you should also deploy TM3 and add WhiteList protection so that anonymous bad guys cannot attempt to hack into your server over UDP 5060.

 

[Albert S]

Thanks Ward, I was speaking from perspective of a hosted box that does not have a hardware firewall in font of it ( I know... )

So if I understand correct when TM3 is deployed I should only have port TCP 83 open which will be enough correct?

Also you have pointed me to follow Travellin' Man 2 tutorial few weeks ago but I seem to not be able to find anything other than http://nerdvittles.com/?p=815 which is Travellin' Man 3

I know you can't help st.pid but would you please point me to the exact article so I can get started with it?

Thanks again.

 

[wardmundy]

Maybe we should start with what exactly you're trying to accomplish??

 

[Albert S]

I am moving away from the colo, so I need to secure my RentPBX and DO PIAF / Incredible PBX instances and create a production environment for future clients as I will not have a hardware firewall anymore.

Currently my PIAF instances does show up UDP 10k - 20k ports open in nmap scans, and the custom(non 22) SSH port.

I really don't want to sound like this guy that have technical challanges for reading documentation but I really couldn't find answer to these

First of all I'd like to use Incredible PBX rather than PIAF for all of future customers as it has more features and I can provide FAX service.

- Is there any reason I should use PIAF only?​

- Also I need to figure out list of default service username and passwords, extensions that needs to be removed from my production template if I use Incredible PBX correct?​

I know for fact ring all 700 and extension 501 needs to be gone.​

After completing an Incredible PBX setup, I could not figure out below:

1 - My clients have multiple offices with static public IPs, and mobile users so in Incredible PBX iptables:

- Do I need to whitelist their office IPs or someone in those office will visit TM link and the office will be whitelisted?​

-How long does TM whitelist an IP address?​

- What are the ports that is normal to show up in an nmap scan after a successful Incredible PBX installation.​

​

2 - When I do a full backup (I do it to local disk and save offsite) will Travellin' Man configuration(whitelisted IPs) be saved and at the time of restore will they be restored?

3- Where and how to configure the custom :83/xxxx URLs for my users?
Will I have 1 url for all or will it be per extension?

​

Thanks in advanced, if you have links that contains answers for some questions just paste and I'll makes sure I go line by line.