Sidebar Sidebar
  • V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Phone system management Login

Status
Not open for further replies.

Stringmusic

Free User
Joined
Jun 16, 2021
Messages
18
Reaction score
0
Hi,

It's come to my attention that the Phone system management console login is susceptible to brute force attacks. Would it be possible to add 2 factor authorization such as TOTP https://en.wikipedia.org/wiki/Time-based_One-Time_Password to login.

There are other methods, but this could complement what ever security we have installed.

Could someone tell me if this possible to add to the system management console.

Thanks,
 
You only need 3 failed attempts to get blocked. The only way you can bruteforce the MC password is by changing IP on every 3rd request. Do you know how many IPs and time you would need to bruteforce a secure password? :)

If you tried it on your installation and it worked it's most probably because you whitelisted your IP.
 
  • Like
Reactions: ChrisC_3CX and ConceptsWeb
stringmusic said:
Hi,

It's come to my attention that the Phone system management console login is susceptible to brute force attacks. Would it be possible to add 2 factor authorization such as TOTP https://en.wikipedia.org/wiki/Time-based_One-Time_Password to login.

There are other methods, but this could complement what ever security we have installed.

Could someone tell me if this possible to add to the system management console.

Thanks,
Click to expand...
The system has many defences. No need to fear anything. Just make sure the Global Blacklist is enabled and the auth failure attempts is set to maximum 5.

As for TOTP, v18 has G Suite/M365 SSO, which can be used to force TOTP. Then, make sure you admin user has a very long and random password and you'll be just fine.
 
  • Like
Reactions: Stringmusic and ChrisC_3CX
@stringmusic
Everything mentioned by Frederick and florink are all good points, I just want to add that, in addition to all these measured, you can always also restrict Management Console access to only specific IPs for further harden the system.

This can be done from "Settings >> Security >> Console Restrictions". Make sure you add at least one of your public IPs to the list before enabling to avoid locking yourself out. All Local IP ranges are allowed by default.
 
  • Like
Reactions: Stringmusic, VoIPTools and ConceptsWeb
Thank you for your feedback. v18 /365 Appears to be restricted to a windows environment. It might be useful to have 2FA for users on other office applications.
 
florink said:
You only need 3 failed attempts to get blocked. The only way you can bruteforce the MC password is by changing IP on every 3rd request. Do you know how many IPs and time you would need to bruteforce a secure password? :)

If you tried it on your installation and it worked it's most probably because you whitelisted your IP.
Click to expand...
Nope, i haven't calculated it. However, by premtively thinking about this may allow us to limit the quantum computer's advantages.
 
stringmusic said:
v18 /365 Appears to be restricted to a windows environment.
Click to expand...
If you're referring to the OS 3CX is running on then that's not really the case, all you need to do is setup the Microsoft 365 Integration which of course means you need a Microsoft 365 subscription.
 
  • Like
Reactions: ConceptsWeb
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Members Online Now

Total: 467 (members: 34, guests: 433)

Forum statistics

Threads
141,925
Messages
751,181
Members
145,359
Latest member
tomnov
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Top Bottom
Back