Best practices, Dos & don'ts in firewall settings & how to secure

Discussion in '3CX Phone System - General' started by voice11, Jan 24, 2018.

Thread Status:
Not open for further replies.
  1. voice11

    Joined:
    Jul 15, 2016
    Messages:
    48
    Likes Received:
    0
    Hello friends,
    I would still call my self new here..:). I installed 3CX (V15.5) Debian on VmWare workstation 14 Pro (14.1.0), running on WIN7 pro SP1. I had a steep learning curve each step of the way, after much struggle & frustration I finally have my system up & running (from last 2 days). All IP phones & soft phones are (6 in total, 2 remote stun extensions) configured. 2 yealink T48s, 2 cisco SPA514 & 1 each apple & win clients. I am just paranoid that I had to open all these ports 5060,5061, 443, 9000s & more. I just followed the instructions & opened as per documentation. Don't really understand well what that means to my security other than i am open to the whole world. As I can access my system remotely so can everyone else. Am I right to assume that? Is it really that dangerous. If yes...can someone advise what are the measures that one should take to secure the system. Our network is very basic & small, we only have service provider modem/router (Smart RG 505). How can I make it tough for someone to get into my system.
    I saw some people talking about changing port 5060 to something else. I didn't do that yet because didn't want to break my system...just yet & week's hard work go waste :). But I understand I may have to do it at some point. Besides that's the whole point, its part of the training make, break & re-deploy. But I want to enjoy my hard work for couple more days before I try tweak/make changes.
    I already see people trying to get into my system, I see 3 blacklisted IP addresses in just 2 days. Can someone advise dos & don't when it comes to security.
    Thank you in advance.
     
  2. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Depends whether you use VoIP providers and external phones via Internet. If so, you may create firewall rules to limit inbound traffic to certain trusted IP addresses. This concerns ports 5060,5061,9000-9255 (or to 9500). For better security you may implement VPN tunnels between sites.
    If you are using SBCs or 3CX tunnels you may allow only ports 5090 and 5000-5001. Note 5000/5001 (by default) are used for accessing web services of 3CX, like management console, webclient, presence, etc. With version 15.5 you can access management console only on port 5001 using https, which is generally security improvement (using SSL certificates) for accessing web sites. You can also create firewall rules to limit inbound traffic to certain addresses, if you know them (usually you need to allow any source address).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    voice11 likes this.
  3. voice11

    Joined:
    Jul 15, 2016
    Messages:
    48
    Likes Received:
    0
    Thank you so much Sip.bg. From line above did you mean "inbound traffic FROM certain trusted IP"? If that is the case, I guess I can get a static IP for home office & just allow that IP then. But then ... what happens in case of apple client? I have no controle over that IP. At this point I have only one remote extension which connects via STUN. Let me make sure if I understand correctly, so I can use 3CX tunnels & use 5090 port...then I can shut port 5060/5061?
    Because I believe, the concern is port 5060 ...right? Can I shut port 5000 as well since version 15.5 only uses 5001.
    And lastly.. if I have only 1 remote extension for home office, is it advisable to have VPN/3CX tunnel over STUN. Is STUN not secure at all?
     
  4. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    There are 3 groups of ports:
    - SIP/RTP service, i.e. 5060-5061,9000-9500
    - 3CX tunnel service, i.e. 5090
    - WEB services, i.e. 5000-5001
    The strategy may be different for different group of ports / services.

    VoIP providers have static IP addresses.
    Remote offices / home office may also have static IP addresses.
    You can put these addresses into so called 'white access list' in your router / firewall and allow traffic only from these addresses to ports 5060,9000-9500 UDP and 5060-5061 TCP, which are used for SIP traffic and block traffic from all other addresses. This will normally limit the attacks towards your PBX.

    3CX phones using 3CX tunnel are connecting on port 5090 TCP&UDP, as well as 3CX SBC. You may allow traffic from all addresses to this port in your router / firewall.

    To use web services from your 3CX PBX, you need to allow connections on ports 5000-5001 TCP. If you can limit addresses from which you want to access the PBX -- do it, otherwise allow from all addresses. These services are maintenance console, webclient, configuration of softphones, presence, chat, organizing conferences, etc.

    You can further increase security using VPN tunnels for your remote sites, if any like your home.
    STUN is not related to security, it simply helps the remote phone to learn its public address and port, to use them in registration to PBX -- it happens again on ports 5060,5061,9000-9500.

    You may not forward port 5000 to PBX, this eventually could affect provisioning of remote phones or some services. Try it. However 3CX is well protected against attacks on port 5000/5001.

    Note also that side effect of closing ports will be errors into 3CX firewall checker, which will be normal.
    3CX generally is well protected by default security measures. You may see many attempts for registering to your PBX (on port 5060), which is more or less also normal now-a-days.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 sip.bg, Jan 24, 2018
    Last edited: Jan 24, 2018
    voice11 likes this.
  5. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,781
    Likes Received:
    287
    And...consider (if you have not yet done so), reducing the number of incorrect registration attempts before a blacklist occurs, as well as extending the blacklisted time, to months or even a year.

    I have accumulated quite a list of IPs, and ranges of IPs, that are permanently blacklisted.
    Changing the default port from 5060 may not help much, going by past posts to the forum. Hackers scan many ports, and will no doubt discover whatever port you choose.
     
    #5 leejor, Jan 24, 2018
    Last edited: Jan 24, 2018
    voice11 likes this.
  6. voice11

    Joined:
    Jul 15, 2016
    Messages:
    48
    Likes Received:
    0
    Wonderful! Thank you so very much sip.bg. Its so much information & very useful. Now its all coming together for me lol. I removed port 5000 already.. to see if it makes any difference, none so far. Gonna get static IP for home office also. Now I have to figure where in SmartRG is option to white-list IPs. :)
    Just last question for you lol :). Out of the two options, STUN for remote home office (with IP white list enforced), or remote home-office connected via 3CX tunnel...which out of the two would you choose? Though to practice... I would eventually want to try 3CX tunnel also to get familiarity. But just like to know best practice.
    Thank you again sip.bg. Much appreciated. :)
     
  7. voice11

    Joined:
    Jul 15, 2016
    Messages:
    48
    Likes Received:
    0
    Thank you leejor. No, I didn't do it yet, so I am gonna lower the allowed attempts one can make. Good point. And glad you clarified about changing port from 5060. Because I was seriously looking into it ..... and in the process I may have broken something else. I like things sip.bg has pointed out and try those measures to start with and may be try tunneling a bit later. Thank you again leejor.
     
  8. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    790
    Likes Received:
    45
    About port 5060…
    As long as I can remember ( > 8 yr) I always have used a other SIP port than 5060.
    Never saw a hacking attempt on this port on the by me installed PBX’s
    Also never had communication issues with the 3CX clients on my iPhone when I was in country’s who blocked VoIP traffic, and without the use of the tunnel.
    Never, say never, but I go never back to port 5060.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    voice11 likes this.
  9. mariosM_3CX

    mariosM_3CX Support Team
    Staff Member 3CX Support

    Joined:
    Nov 1, 2017
    Messages:
    406
    Likes Received:
    38
    voice11 likes this.
  10. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    @compex1: And how you solve cases with providers of SIP trunks without registration using port 5060 ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. voice11

    Joined:
    Jul 15, 2016
    Messages:
    48
    Likes Received:
    0
  12. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    790
    Likes Received:
    45
    I was referring to the SIP listen port (default 5060)
    upload_2018-1-25_17-8-48.png
    upload_2018-1-25_17-7-24.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Exactly, but this is not solving the case with VoIP providers without registration like large ones, which use IP based authentication. If you register to provider, you can use any port, not only 5060.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.