Port 5000 open

Discussion in '3CX Phone System - General' started by craigreilly, Jun 11, 2012.

Thread Status:
Not open for further replies.
  1. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    Does anyone keep port 5000 open on their firewall?
    What are the risks?

    We are deploying some remote extensions - and this is the port used for Remote Phonebook.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. mixig

    mixig Active Member

    Joined:
    Dec 13, 2011
    Messages:
    519
    Likes Received:
    11
    Almost one year port 5000 is opened, so far so good.. :D

    For remote extensions I always use VPN (basically there are not remote extension in my case because of VPN :mrgreen: )
     
  3. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    My remote extensions are in road warriors homes... so, just 1 device at the location.

    Creating a VPN probably not worth it.

    So is your port 5000 actually open?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. mixig

    mixig Active Member

    Joined:
    Dec 13, 2011
    Messages:
    519
    Likes Received:
    11
    yes,we have one installation where the port is 5000 really opened (there is no VPN), and for now we didn t have any discomfort because of that...
     
  5. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    gives me some comfort. thanks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Gus Mitchell

    Joined:
    Jul 5, 2011
    Messages:
    7
    Likes Received:
    0
    Craig,

    I'm in a similar position to you - VPNs used for remote sites but would like to use provisioning for "road warrior" type users.

    Did you eventually open up port 5000? Did you have any issues (actual or perceived)?

    I have always resisted opening ports wherever possible but there comes a point when you simply don't have the full functionality without it. It would be nice if you could use the 3CX tunnel to deliver the provisioning data...

    Best regards

    Gus
     
  7. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    I do have port 5000 open. Many of my road warriors with Laptops will also sign into MyPhone and adjust their settings this way as well.
    The installation knows whether it is on the local lan or not and adjusts the ip accordingly it seems.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    I disagree with the posts above. Assuming that one knows that you use 3CX, they can download the address book from /provisioning and if they are lucky enough to guess or know your MAC address they can download the phone provisioning file and gather your SIP ID and PIN. This can easily be managed by ensuring that you only allow the extension LAN rights.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    Well 3cx doesn't give us much alternative...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    You can IP restrict access to port 5000. I discourage leaving port 5000 wide open.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,128
    Likes Received:
    209
    How to do on Abyss?
    Defiantly makes it difficult for road warriors with soft phones to use MyPhone when IP is restricted...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    First and foremost, any decent 3CX deployment sits behind a decent router. You should be able to do the restriction via the ACL on the router, additionally, at a time when people have nothing better to do and quite often scan your network for ANY way to hack/steal info, (not specifically about 3CX), I believe that you must force road warriors to use VPN, PPTP at a minimum.

    This is a very subjective topic but I's like to share our experience. We have over 200 host servers serving on average 25 guest VMs. Not only are we concerned about our data but that of the clients we host. We setup honeypots to have a more proactive approach at blocking specific IPs, this does cause some false positives but it's worth it. Certain IPs have ports 25,110,143,80,443,5060 open ONLY to catch abusive scanners. We use Mikrotik routers and we have scripts to block, log,email admin and redirect those IP addresses. There is no legitimate reason to hit those hosts. Next come the clients that have many road warriors working from public wifi. I consult for several large companies that set those up in restaurants/shops and you'd be amazed at the info collected for marketing purposes. NEVER allow anyone to track you port 80 activity and be able to associate it with (by IP addess) to you port 25/110/143 activity. You are generating a terrific marketing list with your e-mail address (relate URL to the FROM field on all outboud port 25 activity), Besides forcing road warriors to use SSMTP and SIMAP, the safest way to deal with this is a VPN. Most places pass PPTP and L2TP. Bottom line, FORCE VPN on your remote users. This handles all of your security issues and all of the 3CX issues. You can use this on Windows, Android and iOS easily.

    Obviously the common denominator is a proper router. Grab one! ($100.00 or so gets you a Mikrotik 450G)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Leaving port 5000 open is extremely dangerous and is de facto a direct invitation to have your 3CX system hacked.

    I will recommend using VPN for remote users or site-to-site VPN for remote offices instead. Routers like MikroTik (also recommended in the posts above) will do the job brilliantly at 1/10 of the price of a Cisco router.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    There is no possibility of hacking anything, perhaps a DoS by blasting the port. The data leak could be an issue. That's all.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Not quite. What about http api, it is not so hard to guess extension pin (10,000 possibilities). Somebody could make easily calls on behalf of customer's 3CX. Many customers changing their PIN to '0000' or '1234'. This is a possible exploit.

    Even not easy to hack, it's better not to allow external connections to port 5000 and use VPN if necessary.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    That would be a port 5060 concern
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. coertvc

    Joined:
    Jan 23, 2014
    Messages:
    26
    Likes Received:
    0
    port 5000 is one to close anyway (if you only use 3CX internally and no external devices) port 5000 is a common used uPnP port, and hence at interest to 'others'.

    having a proper ssl or ipsec VPN and doing voip over there is way more preferred than just opening another hole in your firewall.

    if you take the right ssl or ipsec vpn device, most OS (including mobile) would be able to work with it of you push the vpn policy out.
     
  18. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    I can confirm that leaving port 5000 open on 3CX PhoneSystem version 11 could lead to hacking the system. I've seen this already twice. With version 12 this is not possible outside from LAN plus having greater security on http api, etc.

    So, I don't recommend leaving port 5000 open for every possible hacker in the world. There is no anti-hacking protection built-in into 3CX like attacks to port 5060 or DoS. The possible attack would be purely http based and can be easily made distributed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    0
    IIS has some filtering capabilities to keep management, reporting, provisioning, etc content limited to LAN addresses, and perhaps avail myphone, etc. to the world at large.

    Abyss.. not so much.
     
  20. 3CXNP

    3CX Support

    Joined:
    Apr 25, 2014
    Messages:
    42
    Likes Received:
    0
    Hi Craig,

    Opening up Port 5000 on your firewall should only be necessary if you need to have presence showing on your remote 3CX Phone clients, as well as for remote management of the PBX.

    If you do not require it, then you should not open this port. Teleworkers should only have the SIP port (5060 TCP/UDP) as well as the audio ports (9000-9049 UDP) open.

    If you implement an SBC infrastructure, then you only need to have port 5090 (TCP/UDP)open.

    Now, when someone scans your PBX for port 5000 to get into the Management console, they will need to authenticate. Make sure you have a strong password, which can not be brokn into within 25 attempts. This is a limit defined in the Security settings of the PBX.

    The default blacklist time is 1 day. You can make a blacklist interval of several thousands of years (example 99999999999 seconds is approximately 3168 years)

    You can also define how many failed authentication attempts to try before being blacklisted. The default is 25 but you can reduce this for example to 5.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.