3cx firewall

Discussion in '3CX Phone System - General' started by homeshop, Sep 14, 2017.

Thread Status:
Not open for further replies.
  1. homeshop

    Joined:
    Sep 11, 2014
    Messages:
    1
    Likes Received:
    0
    Hello,

    I have 3cx v12.5 thats works fine. The last 2 weeks there are a lot of hacking tries on my PBX. Now i make in the security IP blacklist the following rules:

    ip range 0.0.0.0 subnetmask 0.0.0.0 BLOCKED!! All the ip nummers will be blocked.
    The following ip numbers i set on ALLOWED
    127.0.0.1 (local ip, just in case)
    Mine WAN IP number
    Mine Local IP range (in mine case 192.168.1.0, subnetmask 255.255.255.0)
    Mine TRUNK IP Numbers I set on allowed
    And my IP number of my private house

    This works great, because ALLOWED rules overruled the BLOCKED rules.

    But when i want to make a call to a outside phonenumber, there is NO respons.
    Outside Calls to Inside works great.

    When i make a rule in the ip range. 8.0.0.0 with subnet mask 255.0.0.0 (ALLOWED) i can make also calls from inside to outside.

    Now is my question: Why??? What is the reason i must open IP range 8.x.x.x.x to make i call?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,368
    Likes Received:
    228
    I'm assuming that you are using a VoIP provider for outside calls. It may be that when calls originate from them, it comes from an IP you are blocking. Using Wireshark (before the PBX) should show an incoming calls attempt and where it originates.

    The other thing may be...what DNS server are you set to use? 8.8.8.8 belongs to Google, and if 3CX is set to use that to get the IP of your provider, or "other" information, then that may be it.
     
    homeshop likes this.
  3. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Good tip for improving security is to allow new inbound traffic from whitelist addresses like your provider, house, other trusted addresses to ports 5060, 5061 TCP and 5060, 9000-9500 UDP only.

    To allow remote 3CX phones and IP phones behind 3CX SBC to work, you should allow inbound traffic from any source address to ports 5000, 5001, 5090 TCP and 5090 UDP only. Traffic should be NAT-ed to internal IP address of the PBX keeping the port numbers unchanged.

    You should not restrict outbound traffic from your router to internet.

    This will solve the issues with attacks. They are normally targeted to port 5060 only.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Hacking attempts seems to happen worldwide -- a kind of distributed attack from many source addresses to many PBXs. Probably these are infected computers (bots) attacking PBXs worldwide and the owners of these computers do not suspect anything.

    I have collected a list of blacklist addresses -- attacks happen for example from one address to many PBXs simultaneously.
    It will be good to have the option to export and import blacklist / whitelist addresses from/to 3CX internal firewall.
    I'm protecting many cloud PBXs simultaneously blocking traffic from blacklist addresses for all PBX instances in the cloud router in front.

    Attached is a blacklist collection (formatted for Mikrotik router) from distributed attacks in the past 2 weeks.
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.