3CXClient logged in with new Password, but I didn't enter it

Discussion in 'Windows' started by Biber, Aug 6, 2015.

Thread Status:
Not open for further replies.
  1. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Hi,

    I created new passwords for all users in our 3CX. I entered the password to the phones, but not to the 3CX Phones.
    After restarting the 3CXPhone, it logged in without having the new password!

    Why it can log in?

    Thanks in advance

    Biber
     
  2. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    Hi Biber,
    This is due to reprovisioning of the 3cxphone on restart.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    Hi,

    ok, that's what I already thought, but somebody has stolen an account of us (he knows the credetials), so we are not able to change the credentials to lock him out! If he uses a 3CX Client he can restart the Client and he is online without the new password!


    IMHO this provisioning is a very unsecure feature (or I don't understand it at all)
     
  4. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    In that case you can disable this specific extension so that no more calling is possible through it or delete it completely from the phone system, the provisioning file associated will be also deleted.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    Hi,

    Thanks for the fast response.
    Here our problem:
    Someone had the credentials to the 3CX Server Manager, so he has access to all extensions with passwords. What can I do to ensure that he can't login with any credentials. We already changed all passwords, but it seems that is not enough.

    In normal secure systems it's enough to change the password, I've never heard of system, which issued a new password, if it has changed. Or is it a little bit like ".ssh/authorisized_keys". If it is so, I must only delete the "key" on the server.

    Thanks in advance

    Biber
     
  6. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    The management console is protected by an admin account, you can change login and password at any time through your settings.
    Also, check which extension have admin permissions through their Options tab and disable those access if necessary.

    You must renew also your trunks passwords if they could have been compromised.

    Other than that your windows machine might aswell be compromised, so run an AV scan and ensure all windows updates are installed, check also which ports are opened and what apps listening on them, and restrict what is reachable from the outside through firewall/router.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    Of course I changed the login and password, I have renew all extension passwords, and that's the problem:

    I changed the password, and I can still connect after restarting the 3CX WinClient without the new Password.

    If the "Hacker" uses the 3CX Client (with my credentials), my extension-renew is useless! I must be sure, that the hacker can't use 3CX without the new credentials.

    I already checked the Windows-Server, and it's ok.
     
  8. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    Then delete extension and recreate it, this will renew the provisioning file associated by renewing its file name, therefore the new credentials will not be available anymore to the other person which will still be running with old provisioning file name.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    I must configure the whole 3CX-Server once more? You can't be serious!

    I only want to change credentials

    Is it possible to delete the provisioning file without recreating the whole extension?
    Or can I disable 3CX Phone Client provisioning?
     
  10. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    You can click "Disallow use of 3CXPhone" under this extensions properties / 3CXPhone tab.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    I tried it, but It doesn't work.
    I disabled the use of the 3CXPhone, and after restarting the 3CXPhone, the 3CXPhone shows me a Dialog that the use is disabled, but after clicking [OK] I can use the phone without limits
     
  12. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    Which version/service pack of 3CX Phone System and of the 3cxphone (see Settings/Advanced/About) are you running please ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    I installed 3CX 12.5 on the Server, where I can see the exact version?

    The 3CXPhone is running on version 12.5.44178.0
     
  14. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    646
    Likes Received:
    1
    Re: 3CXClient logged in with new Password, but I didn't ente

    Ok just made the test, in fact the disallow use of 3cxphone will prevent access to the web api services (presences, etc..) only, you will need to delete the extension and recreate it so that provisioning file is renamed, no alternative here - just tested this and it works as expected, the 3cxphone gives now on "Registration Failed, Invalid Password" and can't reprovision.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    Ok,

    thanks for your help.

    I've tested it to, and it worked. The solution is not perfect but it is a solution, and after doing it, I can be mostly sure, the the other one can't login on any extension.

    Thanks

    Biber
     
  16. Biber

    Joined:
    Jul 28, 2015
    Messages:
    23
    Likes Received:
    0
    Re: 3CXClient logged in with new Password, but I didn't ente

    Ok,

    thanks for your help.

    I've tested it to, and it worked. The solution is not perfect but it is a solution, and after doing it, I can be mostly sure, the the other one can't login on any extension.

    Thanks

    Biber
     
Thread Status:
Not open for further replies.