Tutorials: Securing a Compromised FreePBX
In all cases, we would recommend completely removing and rebuilding a compromised system. If this is not an option, a temporary solution is to replace the “tampered modules” with original modules.
In our experience with helping customers with compromised FreePBXs, some report that their ISP/Host forwards on abuse complaints they receive from their FreePBX.
In one case, the VPS that a customer was hosting their system on was being used to proxy brute force attacks to other PBX systems due to a compromised "Framework Module."
The customer had no idea their system was compromised until they received abuse complaints from their hosted provider. After Voxtelesys took a look at the system, our team saw the CPU pegged, numerous times more bandwidth usage than previous months, and several "Modules vulnerable to security threats."
In some cases of a compromised system, it is possible to replace the tampered modules from FreePBX Dashboard without the need for root SSH access. However, Console/SSH Access is the preferred method.
Keep in mind that the method outlined below may not work in all scenarios.
After logging into the FreePBX Administration Panel, a red security warning banner is displayed. Take note of what modules have been affected.
- Head over to the "Admin" drop-down menu and select "Module Admin."
In this case, the tampered module was the FreePBX Framework 13.0.197.22 config.php
- Once you identify what module will need to be replaced, head over to the FreePBX Github Releases and download the appropriate version that matches the tampered version. If your system is out of date, you may need to go several pages over to find your version.
- Download the tar.gz archive.
- Upload the tar.gz to the FreePBX by selecting "Upload Modules" in the "Module Administration" section.
- Change Type: _Download (From Web) to Upload (From Hard Disk). _
- Go ahead and select the tar.gz archive and Upload.
- Go back to local Module Administration.
- Select the drop-down menu on the tampered module.
Take this opportunity to update the rest of the modules by selecting the "Check Online" Button under Module Administration. You should see several modules with the status "Online Upgrade available."
Module Administration will show yellow flagged "Module is unsigned." You cannot self-sign without applying for GNU General Public License.
If possible, reboot the system through the Admin drop down, System Admin, Power Options Tab.
Admin > Module Administration
- "Check Online"
- Upgrade All Available > "Process" > "Confirm"
Reboot and Repeat two or three times until it shows the module have not been tampered with.
If the modules show being compromised again, rinse and repeat uploading the module a few more times.
In some cases, you may just need to backup your data and start with a fresh install.
If any of the Compromised Modules are ones that you have not bought and you do not plan to buy, they can be disabled, uninstalled, or removed.
Uninstalling a compromised module that is not in use is also an option.
To be proactive and prevent this from happening again, run the Firewall Wizard and ensure that Firewall > Interfaces > your default zone is not set to Trusted (Excluded from Firewall) and instead set to Internet (Default Firewall). Don't forget to update the interfaces with the button on the right if you make any changes!
One solution to increase security is the use of a free service called VoIPBL which is a list of known bad IP Addresses.
In general, we see FreePBX systems are compromised when weak passwords are used, the systems are not kept up to date, or the FreePBX firewall is configured incorrectly, and/or too open.
If updating and managing the FreePBX is a daunting task, consider switching to a 3CX Hosted by Voxtelesys to stay secure and decrease management.
