3CXPhone Requiring TCP 5000/5001 Forwarded for Presence

Discussion in '3CX Phone System - General' started by discover-sm, Jul 4, 2014.

Thread Status:
Not open for further replies.
  1. discover-sm

    Joined:
    Jul 4, 2014
    Messages:
    2
    Likes Received:
    0
    We recently upgraded a couple of clients to 3CX v12 SP6 and the new interface looks good.

    We have sent the Welcome e-mail to a number of test staff members to setup their iPhone and Androids and the first thing we noticed is despite using the 3CX Tunnel for voice connectivity we are also required to forward TCP 5000 or 5001 to the 3CX Phone System... Does this not alarm anyone? If not, let me explain - TCP 5000/5001 are the management ports of the phone system.
    I'm surprised this didn't raise any eyebrows with the 3CX security team.. :S

    3CX - Please tell me you plan to run the 3CXPhone presence over the 3CX Tunnel in future ? or plan to use an alternate locked down HTTP port that doesn't publish the front door to the 3CX phone system to the world. I understand it is our responsible to set a secure password on the 3CX Management interface, however for the same reason banks don't put their combination protected vaults on the street I do not feel comfortable doing this. I would rather not be the victim of a 0day 3CX, Abyss or IIS security hole found by someone with too much time.
     
  2. MariosS_3CX

    Joined:
    May 26, 2014
    Messages:
    12
    Likes Received:
    0
    Hey there,

    For some guidelines in order to secure the 3CX Phone system please refer to http://www.3cx.com/blog/voip-howto/voip-security/, alternatively the IIS and Abyss can be configured in order to accept connection only from specific IP addresses therefore denying any unauthorized requests. I cannot explicitly recommend this changes alternatively i would recommend to restrict traffic to known ip's from an external entity like a firewall which will definitely withstand heavy possible attacks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. 3cxBora

    Joined:
    Jun 17, 2015
    Messages:
    35
    Likes Received:
    0
    While the document provide a guideline for security of Windows PBX system, it does not answer if port 5001 or 5000 are secure to open from the public WAN.

    Without opening either port 5000 (HTTP)/5001 (HTTPS), there a number features that won't. Is it safe to open these?
     
  4. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Opening port 5000 in V.11 is vulnerable, this was fixed in V.12, but still caution is not unnecessary.
    Using other tunnel (VPN) is advisable and more secure (3CX tunnel on port 5090) is only encapsulating traffic without encrypting, solving potential NAT/firewall issues only, very much like IAX on port 4569 in Asterisk systems.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. SteveT44

    Joined:
    Dec 16, 2015
    Messages:
    6
    Likes Received:
    0
    I know this is an old thread but I just ran across this problem with my installation. Opening ports 5000 and 5001 to the internet is required to support the Presence function on the 3CX phones but leaves the management login open to the public. To get around this, I enabled the management console on the Abyss web server and within Abyss, added an IP whitelist entry for my local subnet to the "/mangement" alias. Now, when attempting to browse to the 3CX login from anywhere other than my local lan, the user will get a 403 forbidden error. I took it one step further and setup a custom redirect for the 403 error to the FBI cyber crimes website. ;-)
     
Thread Status:
Not open for further replies.