Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Anti-hacking/Firewall recommendation

Discussion in '3CX Phone System - General' started by bbaker73, Sep 20, 2017.

Thread Status:
Not open for further replies.
  1. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    143
    Likes Received:
    26
    I've seen an increase in hacking attempts and 3cx Anti-hacking blocking and blacklisting IP's. Trying to figure out the best plan to deal with them. I host 3cx servers for several remote clients. We are using STUN at this point for all remote IP phones I know the best thing would be to restrict 5060 to the sip providers and use SBC's at all the remotes, but I don't think this will be feasible. The remotes all have main offices but all have many users that are working at home etc with IP phones, so an SBC at every phone location would be difficult, plus lots more equipment to manage. Wondering what others are doing in this situation where STUN is used. I think that trying to monitor all client instances and keep updating a blacklist at the firewall would be never ending. I'm thinking that, in most cases, even where home users are on dynamic addresses from ISPs, that the IP ranges they are coming from won't change that often. I could go through the clients and build whitelists and whitelist the current in-use ISP ranges and only allow those through the firewall to 5060. Then the only ongoing management would be adding ISP ranges when a user switches ISP's or ISP changes ranges, but how often is that likely to be with ISP's in the U.S.?

    Perhaps I'm overthinking it and restricting at the firewall would be adding difficulty. Currently between all the clients getting probably 30 or so blocks/blacklists a day which 3cx servers are dealing with. I have lowered the anti-hacking thresholds and increased the blacklisting time.

    Any thoughts on what we should do going forward? Our goal is to continue to add hosted clients.
     
  2. cobaltit

    cobaltit Well-Known Member

    Joined:
    Mar 22, 2012
    Messages:
    1,613
    Likes Received:
    243
    You've hit on the 3CX supported options. Modifying the blacklist settings or SBC are your only options. You could also setup S2S VPNs but that would be troublesome to support, especially for the individual remote phones. Outside of 3CX supported options you can do the following:

    - Setup a hosted SBC (3rd party or you can roll your own). You would restrict 3CX ports to the SBC and then all the phones would register to the SBC.
    - Setup OpenVPN server on your 3CX instance and then make custom templates to push out the VPN configuration to the phones when they are provisioned. I've only done this with Yealink phones but all the supported phones support VPN. (Htek and Fanvil state OpenVPN, Snom just says VPN but it's most likely OpenVPN.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. DSXDATA

    DSXDATA New Member

    Joined:
    Oct 20, 2015
    Messages:
    185
    Likes Received:
    64
    If you change the port you use away from 5060, the hacking attempts will drop to almost zero. But even if you stick with 5060, the hits you see are unintelligent bots just hammering away with a standard dictionary. If you stay away from silly passwords and avoid especially ext 10/100/1000 - the hits are just background noise. You can also create a NOFORN list of mostly RIPE subnets for yourself and deploy this on the PBX server. Do this for a small number of really annoying subnets - don't try to block everything or you'll run into unintended consequences.

    Your REAL vulnerability is in the 3CX welcome messages. If a mailbox gets hacked, about 90 days later the welcome message attachment will get digested by a dataminer, passed onto a black market calling card provider, and presto your PBX will be serving up calls to Nicaragua.

    Modify the welcome message to ask users to DELETE the message as soon as they are done with it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. IoannisM_3CX

    IoannisM_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Aug 10, 2017
    Messages:
    229
    Likes Received:
    18
    Hello @bbaker73

    From the PBX side you can do the following:

    Find Settings >>Security>>Anti-Hacking and divide each values by two, except the blacklist time interval, and the security barrier (green).
    Set the blacklist time interval to a higher value such as 31536000 (1 year).
    - in your firewall, filter the SIP port to allow only trusted sources, meaning your VoIP providers IP/range, and remote extensions (if any).

    Blocking ranges of IPs can give you extra security but be sure that you don' t get any traffic that you need from any IP inside of these ranges.

    You can find more information and instructions here.

    Thank you
     
Thread Status:
Not open for further replies.