• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Change Default Login Page to obfuscate 3CX install

Status
Not open for further replies.

RemyG

Joined
Dec 29, 2014
Messages
2
Reaction score
0
Dear all

I would like to change the default login page of the management console. As the HTTPS port needs to be exposed to the internet and the new 3CX clients require it to run on 443 an obfuscation of the port (removal of 3CX logo, removal of installed version) is required to comply with basic security guidelines.

Where and how can I alter the default login page displayed by MainForm.wgx?

Thanks, Rémy
 
Hi there,
I'm afraid the login form can't be edited, nor any part of the management console, these are located in compiled code.
I'd advice securing your http/https ports through firewall in order to filter who can reach them.
 
Thanks for the feedback. But Port 443/HTTPS is used by the Mac Client as well as the Android client for some information. So blocking the port is not a real solution.

What other solution is there?

Thanks.
 
Well I see no problem to solve here actually...
Management console is well secured, reaching it from the outside doesn't give any rights if you don't know login/password and brute-forcing of those credentials gets attackers IPs automatically blacklisted.
 
Are you using IIS server? or the one that 3cx Abyss? you can change the permissions on the iis server to have only internal connections see the management console. Make sure you have everything backup before you try it and you will need to do some testing, but I agree with you, preventing access to the management console is a better safe than sorry solution.
 
Kind of On topic/off topic.

Not sure if the original poster has solved their problem or not, but I wanted to add that PJ3CX has kind of missed the point.

Basic security says that if you don't know the target you are attacking, it's MUCH harder to compromise security. Many many years ago I reduced remote login to just "Username:" prompt followed by "password:", no sign to tell you which operating system you were accessing, or the version of that operating system, in fact nothing really to give away anything about the machine you were accessing, I later had to put up a notice saying "Unauthorised access prohibited" but that's a different story.

Now I'm not suggesting that your login is in anyway insecure, but if someone found a bug in your login say in V12 and could bypass the password by some trickery, for example:

Your Welcome screen gives a awful lot away, eg, it's 3CX you've reached (therefore it's a telephone system), it's V12.00.0.... Oh I'll just look up how to break into that system... Simples.... You've just made a hackers life soooo much easier.

If you page just asked "Username:", then you wouldn't know if you've reach 3cx or any other possible login in the world...

Just my opinion :)
Iain
 
Yes I get your point, as jasit said if you want to restrict who can access your management console you can add IP control in your IIS.
But such controls should rather be implemented in firewall in the first place so that you allow only specific known IP's to reach this port (remote extensions or remote employees who will need to access console/reports).

Also, note that starting from v12.5, http and https ports can be changed to any of your choice.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,635
Messages
748,975
Members
144,752
Latest member
matchofficees
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.