3CX Phone System Anti Hacking – Whitelist/Blacklist

3CX Phone System allows you to whitelist and blacklist IP addresses. All traffic originating from whitelisted IP addresses will be allowed through unchecked by the anti-hacking features. All traffic originating from blacklisted IP addresses will be dropped immediately. This article describes how to configure new whitelist and blacklist entries in 3CX Phone System.

Adding a Whitelist Entry to 3CX Phone System

Lets assume that you have a remote office connected to your 3CX Phone System. Your remote office has a public IP address of  123.123.123.123. Traffic from this IP address is trusted. To add a whitelist for this IP address, you’ll need to do the following:

Blacklist_Whitelist IPs or range

  1. Login to the 3CX Management Console.
  2. Click on Dashboard > Blacklisted IPs.
  3. Click “Add” to add an entry.
  4. From the drop down menu select “Add single IP Address” and enter the IP address that you want to allow – in this example: 123.123.123.123  (you can also select to add a range of IP addresses using a Subnet Mask).
  5. Set Action to “Allow“.
  6. Add a description for the IP address, for example “Remote office“.
  7. Press “OK“. An Allow entry will be created in the IP Blacklist page for the whitelisted IP address. All traffic originating from this IP address will be unchecked and the anti-hacking algorithms will not come into effect.

Blocking an IP Address or a Range of IP Addresses

Let us look at another scenario. Assume that there is a distributed attack coming from the following IP addresses – 41.202.160.2 and 41.202.191.5. These two IP addresses have already been blacklisted by 3CX Phone System’s anti-hacking auto-detection mechanisms. You would, however, want to blacklist all the range, since you are sure that you will never get any traffic from these IP addresses. In this case, we will blacklist the whole range from 41.202.0.0 to 41.202.255.255 i.e. all the IP addresses that start with 41.202.

Blacklist_Whitelist IPs for Blacklist

  1. Login to the 3CX Management Console.
  2. Click on Dashboard > Blacklisted IPs.
  3. Click “Add” to add a new entry.
  4. From the drop down menu select “Add a range of IP Addresses“.
  5. Enter the “Network address” which is the first address of the network range you want to block. For this example we will enter 41.202.0.0.
  6. Since we want to block all IP addresses that start with 41.202, we will select a Subnet Mask of 255.255.0.0. The range of IP addresses contained in this mask will be displayed below.
  7. Set Action to “Deny“.
  8. Enter a Description for this entry to help you remember why you added this entry, for example “Distributed attack coming from 41.202.x.x”.
  9. Press “OK“. A Deny entry will be created in the IP Blacklist page. All traffic coming from this IP address will be checked, antihacking algorithms will come into effect and completely drop and ignore all packets from this IP Address.

The 3CX anti-hacking Blacklist / Whitelist mechanism does not replace a firewall. It provides a defense mechanism to help separate traffic that is trusted, and traffic that is not trusted. If for example you want to block all traffic to your network and allow only your VoIP Provider IP address, you need to set this up on your firewall.

When configuring a range of IP addresses in the blacklist, you should also ensure that the range does not include the IP address of the PBX.

Liked this article?


Get notified of new articles
or share
You might also be interested in:
  1. Still it’s better not to use whitelists (i.e. you local network). The anti-hacking mechanism will prevent you from attacks coming from the LAN also (so called bots or viruses), on the other hand seeing an internal address being blocked is a serious indication for problems on the network (infected PCs, malfunctioning switch, etc.).

    Regards

    November 6, 2012 at 11:22 am
  2. Hi Nick,
    Thanks for again a clear HowTo from your hand.
    When looking at the V11 logs I sometimes see that the system rejects an invite based on the client name (e.g. “friendly scanner”)
    Is there a way to add other abusing client-names to this apparently hidden list?
    Tia
    Joep Maas

    November 7, 2012 at 4:52 am
  3. Igor Snezhko

    Hi Nicky!

    There is error in Blocking IP address section

    9. Press ‘OK’. An Allow list will be created in the IP Blacklist / Whitelist page. All traffic coming from this IP address will be unchecked and the anti-hacking algorithms will not come into effect.

    Should be “Deny list…”

    November 8, 2012 at 3:16 pm
  4. @Joep Maas,
    I will contact you

    November 14, 2012 at 9:26 am