Adilson Magnus
Commercial Support

Hey there, our support is exclusive via Telegram, click on the bellow icon and start chat now.

Mon-Fri: 9:00–19:00 (GMT-03:00)

 

How to Harden MagnusBilling on Debian – Complete VoIP Security Guide

🔐 How to Harden MagnusBilling on Debian – Full VoIP Security Guide

Exposing a VoIP server directly to the internet without proper hardening will result in constant attacks, brute force, SIP scans, and fraudulent calls.

True security is not just about software — it’s about how you configure your system. This step-by-step guide shows you how to lock down your MagnusBilling + Asterisk installation in Debian.

🔒 Security Checklist

  • Use non-standard ports
  • HTTPS + domain
  • Enable 2FA (two-factor authentication)
  • Enable reCAPTCHA
  • SIP Proxy in front of Asterisk
  • Authenticate SIP by IP where possible
  • SSH with RSA key only
  • Firewall + Fail2Ban
  • Weekly updates
  • Strong passwords

1️⃣ Use Non-Standard Ports

Automated bots actively scan and attack the following default ports:

Service Default Port Suggested Port
SSH 22 2222+
HTTP 80 8080 or 8000+
SIP 5060 5160+
IMPORTANT:

MagnusBilling already uses firewall rules and automated IP blocking (firewalld + Fail2Ban). If you change a port without first allowing it through the firewall, you may lock yourself out of the server — especially SSH.

Correct Order

1. Open the port in the firewall first

firewall-cmd --permanent --add-port=2222/tcp
firewall-cmd --reload

2. Then update SSH configuration

nano /etc/ssh/sshd_config

Port 2222

systemctl restart ssh
Always test the new connection in a separate session before closing your current one.

Change SIP Port

bindport=5160

firewall-cmd --permanent --add-port=5160/udp
firewall-cmd --reload

2️⃣ Enable Two-Factor Authentication (2FA)

Passwords alone are not enough. Use a token plugin to enforce a second layer of authentication, especially for admin accounts.

Recommended:

  • Mandatory for administrators
  • Recommended for all users

3️⃣ HTTPS + Domain

Never expose the MagnusBilling admin panel via IP address only:

http://123.123.123.123/mbilling  ❌

Instead use:

https://billing.yourdomain.com  ✅

Install SSL Certificate

apt install certbot python3-certbot-apache -y
certbot --apache

4️⃣ Enable reCAPTCHA

Protect your login screen from automated brute force attacks by enabling Google reCAPTCHA v3.

Enter keys in the admin panel:

Settings → search for "recaptcha"

5️⃣ Use a SIP Proxy

Deploy a SIP proxy such as OpenSIPS or Kamailio in front of your Asterisk backend:

Internet
   ↓
OpenSIPS / Kamailio
   ↓
Asterisk + MagnusBilling
  • Blocks SIP floods
  • Filters attacks
  • Hides backend
  • Provides rate limiting

This architecture is highly recommended for serious production environments.

6️⃣ Avoid SIP Password Authentication

Avoid:

username + password

Prefer:

authentication by IP

This removes brute force attack vectors on SIP credentials.

7️⃣ SSH with RSA Key Only

ssh-keygen
ssh-copy-id -p 2222 root@IP_ADDRESS

Then edit SSH config:

PasswordAuthentication no
PermitRootLogin prohibit-password

8️⃣ Weekly Updates

Regularly update MagnusBilling to ensure the latest security patches are applied:

/var/www/html/mbilling/protected/commands/update.sh

9️⃣ Remove Default Admin User

  • Create a new administrator account
  • Disable or delete the default one
  • Avoid predictable usernames

🔟 Strong Passwords

openssl rand -base64 18

Use at least 14+ character, complex passwords for all accounts.

🎯 Conclusion

By applying:
  • Non-standard ports
  • 2FA
  • HTTPS
  • SSH key only
  • SIP Proxy
  • Firewall + Fail2Ban
You drastically reduce risk of attacks and SIP fraud.

Exposed VoIP systems without proper hardening will inevitably be targeted. Prevention is always cheaper than recovering from fraud or intrusion.