Security

The assumption is that in most cases EVB will be behind a firewall on a private LAN.

• Dynamic IP

If you have a dynamic IP number given to you from your ISP, you can use a service like dyndns.org or no-ip.com to get a second level domain name to track you dynamic IP number. This will enable the sip nat (for dynamic IP) setup below.

• Port forwarding

forward these ports to the internal LAN IP address of your EVB:

ssh 22
sip 5060
iax2 4569
web 80 (if you want to allow remote web access)
rtp 10000 - 20000

• Sip Nat config

edit (or use the config edit panel) /etc/asterisk/sip_nat.conf to look like this:

nat=yes
externhost=your.dns.name or public IP number
localnet=192.168.1.0/255.255.255.0
externrefresh=10

NOTE***
In order to make extensions work over VPN’s we had to add the VPN subnets to sip_nat.conf to make the phones on the 192.168.2.0 and 192.168.3.0 subnets work with the Asterisk Server on the 192.168.1.0 subnet. Here is the whole sip_nat.conf file

nat=yes
externip=xxx.xxx.xxx.xxx
localnet=192.168.1.0/255.255.255.0
localnet=192.168.2.0/255.255.255.0 # VPN1 to 192.168.1.0
localnet=192.168.3.0/255.255.255.0 # VPN2 to 192.168.1.0
externrefresh=10

• Create a user account with

useradd -g wheel -m support

passwd support

• Turn off root over ssh

edit /etc/ssh/sshd_config and set:
PermitRootLogin? no

/sbin/service sshd restart

• MySQL

Use phpMyAdmin in the Maintenance section. Go to the privileges screen to tighten the security.

/etc/asterisk/cdr_mysql.conf - Asterisk CDR database settings

• freePBX

http://aussievoip.com/wiki/index.php?page=freePBX-ManagerPass
http://aussievoip.com/wiki/index.php?page=freePBX-MysqlPass

/etc/amportal.conf - freePBX database settings
AMPDBPASS: the password for AMPDBUSER

• /etc/asterisk/manager.conf

Controls the login for the Asterisk Manager API.
If you change this, also change in /etc/amportal.conf for freePBX
The default is set for the localhost machine, so as long as you secure the machine this should be OK.