I changed the system from port 80 to a obscure port and firewalled port 80, (stand alone firewall in front of pbx) the gui works fine but I can not provision phones unless I open port 80, I tried adding http://YOUR-SERVER-IP/xepm-provision :XXXX but it did not work. system is hosted so phones are remote with dynamic IP's is the EPM locked to port 80/443
If you change the port, you must use: http://YOUR-SERVER-IP: YOUR-NEW-PORT/xepm-provision
Actually, it only shows the config if you put the right mac address, so, an attacker must know your phone's mac address for vulnerate your system.
On the RC version, we're including a fail2ban filter to avoid brute force attacks to the provisioning URL.