FreePBX, Elastix, Trixbox secure access via SSH tunnel

One of the most insecure parts of an online PBX is the management web GUI. Restricting access to this is highly desirable and protects you from unpublished vulnerabilities.

One way is to use IPTables to limit certain IP addresses (http://sysadminman.net/blog/2011/restricting-web-interface-access-with-iptables-2156) but this relies on you having a fixed IP address.

Another, more flexible way, is to block all access via ports 80/443 (http/https) and access the system through a secure SSH tunnel using Putty.

If you have a SysAdminMan VPS and would like this setting up please get in touch.

First we need to block access to port 443/80. Do this be logging on as root and then running the iptables command to identify the rules allowing access. You may only see rules for port 80 or 443 depending on your system setup –

# iptables -L INPUT -n --line-numbers

Chain INPUT (policy DROP)
num  target     prot opt source               destination
...
9     ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
10    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
...

Now delete the rules allowing access and save the rules so they are applied on startup –

iptables -D INPUT 9
iptables -D INPUT 10
service iptables save

Next start Putty and go to the SSH – Tunnels menu and create a local port forward as shown below. This redirects the port 80 on your machine to port 80 on the remote server you are ssh’d into. You could change these settings to port 443 if the remote web server is only listening on port 443.

Don’t forget to press Add  (and also save your session config for use again) –

Putty SSH tunnel screenshot 1

Now in your Web Browser you can browse to http://127.0.0.1  (or https://127.0.0.1 if you used port 443) to access the web server on the remote machine. This is very secure as you now need to log in via SSH to access to web panel, but no need for a fixed IP –

FreePBX access via putty tunnel

1 thought on “FreePBX, Elastix, Trixbox secure access via SSH tunnel

Comments are closed.