Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Ports

Discussion in '3CX Phone System - General' started by eclipse2000, Mar 5, 2011.

Thread Status:
Not open for further replies.
  1. eclipse2000

    Joined:
    Feb 3, 2011
    Messages:
    31
    Likes Received:
    0
    Hi guys,
    Im having major issues at the moment with our system, its looking to be down to a hacker trying to gain access to our system or at least do something. Looking through our router logs and traffic graphs i can see constant speed loads on our internet connection coming from a chinese IP address directing towards our external IP on port 5060.
    Im looking to change the ports in which our system works to hopefully prevent anything happening. If i change the port on the network page (SIP) none of my phones will connect to the server, they just keep saying NOT REGISTERED even though each account is on a unique port. Any ideas.
    So in theory i want to change the posts from the 4 SIP providers that i use for our VOIP lines and also i want to change the port that the system works on internally but im having no joy.
    Any help would be great.

    Thanks
     
  2. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    Going non standard ports can get very messy very quickly as not all providers cope with non standard ports. The phones wont register when you changed because you didnt change the port in each phone too most likely. This is why it gets messy.

    The better solution is as follows:
    1. Get yourself a decent firewall
    2. You have 4 providers and they have static ips that they send the invites from. Allow only access through your firewall to the 3cx server ip on port 5060 from those static ips in your firewall. Problem solved with no non standard ports.

    3. Blacklist the chinese ip in your firewall in case they try other ports/ips etc. Remember the guy is not in china, he has found an open proxy in china and is using that so he cannot be traced.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. eclipse2000

    Joined:
    Feb 3, 2011
    Messages:
    31
    Likes Received:
    0
    Thanks for the info.
    What firewall would you recommend as im currently just using the standard one on server 2003.

    Thanks
     
  4. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    You need a good gateway firewall. There are many

    We do our own affordable security appliance which has gateway antivirus, antispyware, anti phishing, anti spam, active directory control, reporting, backups, vpn, firewall, intrusion prevention, attack protocol, web filter, bandwidth control etc. so I would obviously recommend that.

    PM me for more information on either a purchase or monthly lease with support.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. eclipse2000

    Joined:
    Feb 3, 2011
    Messages:
    31
    Likes Received:
    0
    I have changed the main port number and all 4 providers have connected up fine which is good news, the only part im unable to get working is the phones.
    I have changed all the ports in the phone settings to match but the phones will not seems to register.

    Thanks
     
  6. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    There is a difference between registering to a voip provider and actually receiving the incoming calls on the correct port.

    Have you tested by dialing one of your numbers from an outside line such as a cell phone? Make sure it works and get 2 way audio.

    What phones are they?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. eclipse2000

    Joined:
    Feb 3, 2011
    Messages:
    31
    Likes Received:
    0
    When i dial any number the receptionist answers OK but i dont have a phone working so unable to hear the 2 way voice. Im using sipgate as a provider, the 3cx server as the PBX and 2 Grandstream GXP2000 phones each with 4 lines on. Then 2 Linksys SIP devices for single standard phones.

    Thanks
     
  8. abc123

    abc123 Active Member

    Joined:
    Nov 9, 2009
    Messages:
    712
    Likes Received:
    1
    So if you hear the receptionist then you have the invites coming in and one way audio and as the audio is on a different port then you should be fine. The final test will be an inbound and outbound call when the phones work.

    Is the Grandstream not provisioned via 3cx? In which case it should work but you will have to get 3cx to update the provisioning file. To do this just open the extension in 3cx, click on the phone provisioning tab and then click ok and it should regenerate the file with the new settings. Then click on reprovision on the phones menu and it should work.

    What Linksys devices is it? ATA such as PAP2t? SPA 2102, 3201, 942?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    And how are you sure about this?

    I can tell you that 3CXs anti hacking features work extremely well. This past week-end our entire data center was targeted by a massive denial of service attack from 17 servers on a Rackspace cloud. We allowed it to run for 12 hours to stress test our data center. The IP ban kicked in and the CPU use was at 0-3% on the servers. Make sure that you have strong passwords. Beware that no matter what you do the requests will still reach your router and take up bandwidth, you can't help that (if you have a DSL or low BW line that would still hurt you a lot).

    In general restricting the IP is a good idea but then make sure you have the 3CX tunnel open if you have remote smartphones or 3CX Proxy. If not you will need to keep 5060 open. I would not change the port from 5060 as many QOS devices classify and prioritize by this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.