It is essential to secure access to the administration interface. Sensitive data such as tariffs, SIP accounts, suppliers or even statistics must not be distributed outside authorized persons.
PyFreeBilling natively integrates several security processes.
First of all, the interface is only accessible via the HTTPS protocol with a default configuration that excludes SSL / TLS versions that are not sufficiently robust. It is essential to use a valid certificate to assure the administrator that he is logging onto the correct site and not a hacker page. A script is provided to generate Let’s Encrypt certificates. This script also manages the renewal.
Then, PyFreeBilling integrates a honeypot to automatically block robots or other malicious people.
Finally, after 3 attempts, the user is permanently blocked. The only way to unlock it is to use the command line. For this, a script is provided to simplify the operation.
All connections, successful or not, are logged in database. Thus, an audit is possible to ensure that an unwanted person tries to connect. The logs contain the information of IP addresses, the country of attempted connection but also data concerning the machine used (OS, browser …).
User passwords are not stored in a database but only a hash. In addition, the hash method follows the security recommendations of the Django project. In the event of an update, each time a user logs in, the hash is updated according to the changes.
The addition of a firewall in order to expose the machine only on the necessary ports (in the case of a dedicated machine, only TCP port 443) is also recommended to protect itself from 0day.
It is possible to use for the most cautious a reverse proxy. Be careful to set this one. I urge you to read the recommendations of your reverse proxy to work well with the Django framework.