Change Default Login Page to obfuscate 3CX install

Discussion in '3CX Phone System - General' started by RemyG, Dec 29, 2014.

Thread Status:
Not open for further replies.
  1. RemyG

    Joined:
    Dec 29, 2014
    Messages:
    2
    Likes Received:
    0
    Dear all

    I would like to change the default login page of the management console. As the HTTPS port needs to be exposed to the internet and the new 3CX clients require it to run on 443 an obfuscation of the port (removal of 3CX logo, removal of installed version) is required to comply with basic security guidelines.

    Where and how can I alter the default login page displayed by MainForm.wgx?

    Thanks, Rémy
     
  2. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Hi there,
    I'm afraid the login form can't be edited, nor any part of the management console, these are located in compiled code.
    I'd advice securing your http/https ports through firewall in order to filter who can reach them.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. RemyG

    Joined:
    Dec 29, 2014
    Messages:
    2
    Likes Received:
    0
    Thanks for the feedback. But Port 443/HTTPS is used by the Mac Client as well as the Android client for some information. So blocking the port is not a real solution.

    What other solution is there?

    Thanks.
     
  4. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Well I see no problem to solve here actually...
    Management console is well secured, reaching it from the outside doesn't give any rights if you don't know login/password and brute-forcing of those credentials gets attackers IPs automatically blacklisted.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. jasit

    jasit New Member

    Joined:
    Feb 12, 2013
    Messages:
    169
    Likes Received:
    1
    Are you using IIS server? or the one that 3cx Abyss? you can change the permissions on the iis server to have only internal connections see the management console. Make sure you have everything backup before you try it and you will need to do some testing, but I agree with you, preventing access to the management console is a better safe than sorry solution.
     
  6. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    Kind of On topic/off topic.

    Not sure if the original poster has solved their problem or not, but I wanted to add that PJ3CX has kind of missed the point.

    Basic security says that if you don't know the target you are attacking, it's MUCH harder to compromise security. Many many years ago I reduced remote login to just "Username:" prompt followed by "password:", no sign to tell you which operating system you were accessing, or the version of that operating system, in fact nothing really to give away anything about the machine you were accessing, I later had to put up a notice saying "Unauthorised access prohibited" but that's a different story.

    Now I'm not suggesting that your login is in anyway insecure, but if someone found a bug in your login say in V12 and could bypass the password by some trickery, for example:

    Your Welcome screen gives a awful lot away, eg, it's 3CX you've reached (therefore it's a telephone system), it's V12.00.0.... Oh I'll just look up how to break into that system... Simples.... You've just made a hackers life soooo much easier.

    If you page just asked "Username:", then you wouldn't know if you've reach 3cx or any other possible login in the world...

    Just my opinion :)
    Iain
     
  7. pj3cx

    pj3cx Active Member

    Joined:
    Aug 1, 2013
    Messages:
    645
    Likes Received:
    1
    Yes I get your point, as jasit said if you want to restrict who can access your management console you can add IP control in your IIS.
    But such controls should rather be implemented in firewall in the first place so that you allow only specific known IP's to reach this port (remote extensions or remote employees who will need to access console/reports).

    Also, note that starting from v12.5, http and https ports can be changed to any of your choice.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.