3CX Phone System Anti Hacking – Whitelist/Blacklist

Introduction

3CX Phone System allows you to whitelist and blacklist IP addresses. All traffic originating from whitelisted IP addresses will be allowed through unchecked by the anti-hacking features. All traffic originating from blacklisted IP addresses will be dropped immediately. This article describes how to configure new whitelist and blacklist entries in 3CX Phone System.

Adding a Whitelist Entry to 3CX Phone System

Let’s assume that you have a remote office connected to your 3CX Phone System. Your remote office has a public IP address of 123.123.123.123. Traffic from this IP address is trusted. To add a whitelist for this IP address, you’ll need to do the following:

Blacklist/Whitelist IPs or IP range

  1. Go to Security > “IP Blacklist in the 3CX Management Console.
  2. Click Add to add an entry.
  3. From the dropdown menu select Add single IP Address and enter the IP address that you want to allow, e.g. 123.123.123.123 (you can also select to add a range of IP addresses using a subnet mask).
  4. Set Action to Allow.
  5. Add a description for the IP address, e.g. Remote office.
  6. Click on OK to create an Allow entry in the IP Blacklist for the whitelisted IP address. All traffic originating from this IP address will be unchecked and the anti-hacking algorithms will not come into effect.

Blocking an IP Address or a Range of IP Addresses

Let us look at another scenario. Assume that there is a distributed attack coming from the following IP addresses – 41.202.160.2 and 41.202.191.5. These two IP addresses have already been blacklisted by 3CX Phone System’s anti-hacking auto-detection mechanisms. You would, however, want to blacklist all the range, since you are sure that you will never get any traffic from these IP addresses. In this case, we will blacklist the whole range from 41.202.0.0 to 41.202.255.255 i.e. all the IP addresses that start with 41.202.

Blacklist / Whitelist IPs or IP Ranges to secure your 3CX PBX

  1. Go to “Security” > “IP Blacklist” in the 3CX Management Console.
  2. Click Add to add a new entry.
  3. From the drop down menu select “Add a range of IP Addresses“.
  4. Enter the Network address which is the first address of the network range you want to block. For this example we will enter 41.202.0.0.
  5. To block all IP addresses starting with 41.202, we select “/16” as “Subnet Mask”, i.e. 255.255.0.0.

💡 Tip: The range of IP addresses contained by the network mask is displayed below in “IP address range”.

  1. Set Action to “Deny“.
  2. Enter a Description for this entry to help you remember why you added this entry, for example “Distributed attack coming from 41.202.x.x”.
  3. Click on OK to create a Deny entry in the IP Blacklist. All traffic coming from this IP address range will be checked, anti hacking algorithms will come into effect and completely drop and ignore all packets from these IPs.

The 3CX anti-hacking Blacklist / Whitelist mechanism does not replace a firewall. It provides a defense mechanism to help separate traffic that is trusted, and traffic that is not trusted. If for example you want to block all traffic to your network and allow only your VoIP Provider IP address, you need to set this up on your firewall.

When configuring a range of IP addresses in the blacklist, you should also ensure that the range does not include the IP address of the PBX.

See Also

Last Updated

This document was last updated on 11 June 2023

https://www.3cx.com/docs/allow-deny-ip-addresses/ 

Discuss this article