Following our last conversation about call fraud, it's time for another installment of our blog series ‘Don't be “THAT” Guy’. In this third edition, we’ve got our top 4 PBX security tips to help you shrink your attack surface and minimize system vulnerability.

Security tip 1: Keep the global IP blacklist enabled

Security Anti-Hacking in 3CX Management Console

The 3CX Global Blacklist is a feature that’s automatically enabled in all 3CX installations by default. It blocks a huge number of known offending IP addresses and ranges to protect you from malicious attacks.

The primary concern here is with installations that have it disabled. Please make sure this isn’t the case with yours. When deactivated, your event logs will record blacklisting events and failed authentication attempts from fake SIP user-agents such as Polycom VVX, Asterisk, Avaya, etc. In fact, here you are witnessing a number of scanning bots working hard to brute-force your SIP extensions.

These attacks can happen behind VPNs and compromised hosts, or even from servers and appliances of legitimate service providers. When tampered with, these appear to be misconfigured and behave as open SIP relays. As a result, attackers can bounce REGISTER messages to your systems while hiding behind third-party services.

Security tip 2: Ensure port access is limited

Second, having all open ports unfiltered calls for trouble. For instance, the SIP 5060 (UDP/TCP) port should be restricted to a limited list of trusted user endpoints and IP ranges specific to your VoIP provider.

We’ve also seen multiple occurrences of:

Phone web UI exposure

Phones have their user interface exposed to external access. Typically, this has been enabled by an admin to allow the HTTP/HTTPS ports to be reached over the WAN for remote access. This should be a complete no-go. Opening the user interface ports to external access presents several risks, if:

  • Vendor firmware isn’t kept up-to-date
  • Password is changed to a weak one
  • Zero-day exploits for given model/versions are discovered and exploited
  • Exposed devices are found using tools like Shodan.

These user endpoints should be kept behind their NAT and not reachable directly from the outside world. If needed, you could set up a temporary remote administration tool on one workstation and bounce from there to the local endpoint.

SSH left unfiltered

Having Linux default SSH port (TCP 22) unfiltered can also lead to constant brute-force attacks. This can be easily seen from your machine's Syslog auth.log file, which will keep growing because of multiple failed logging attempts from many public IP addresses.

Keep 3CX Servers separate

Having third-party tools on the same server or system as your 3CX can add to your attack surface. They may create additional web servers and extra services that listen on new ports and are in turn exposed to external attacks.

The bottom line is that you should filter as strictly as possible with proper ACL/firewall rules.

Security tip 3: Password protect your backups

Enter a password for your Backup Schedule

Third, backups should be password protected, as in the past we’ve seen cases of them getting leaked. If these had been encrypted, they would have been of no use to the hacker. That’s why it's a good practice to adopt encryption across all your installations, with different passwords for each.

Also, having one common backup repository for all installations isn’t such a great idea. If it gets compromised, then you may end up with multiple systems getting hacked simultaneously. Also, how about resilience? What if this common backup storage drive suffers a failure? As the saying goes, you should not put all eggs in one basket.

Security tip 4: Lockdown the management console

3CX Management Console Restrictions

Finally, did you hear of the management console restrictions section? It allows you to define which public IP addresses will be allowed to log in. Anyone else, even with correct credentials, would be stopped short.

Watch out for the next episode and in brief… Don’t be “THAT” guy!

See also

Don’t be “THAT” Guy Vol.1: Keep Complex Credentials
Don’t be “THAT” Guy Vol.2: Call Fraud