Securing Network Ports for 3CX

Discussion in '3CX Phone System - General' started by arivet, Jul 8, 2014.

Thread Status:
Not open for further replies.
  1. arivet

    Feb 8, 2013
    Likes Received:

    I am in charge of running a 3CX PBX (16 SC Pro) for an office of about 10-15 people. We use nexVortex as our SIP provider, and an ASA 5505 Sec+ (9.2) as our firewall. Our former 3CX partner setup our ASA to allow any traffic on 5000, 5060, 9000-9049 to be forwarded to our 3CX server. We have desk phones that are in the office, but we also have remote users who need to use softphones while they are traveling.

    I have seen a lot of conflicting information on whether port 5000, 5060, and 9000-9049 should be opened on our firewall. This document ( and many others seem to suggest that it is okay to leave 5000, 5060, and 9000-9049 open, while I have heard from many others (including a 3CX premium partner) that 5000 and 5060 should NEVER be left open.

    It seems to me that the way we have it setup now leaves a gaping hole in our network, and that we are running a major risk of our SIP trunk being exploited. At the same time I don’t want to close everything off and not be able to make calls. My question is what is the correct way to secure our network?

  2. eagle2

    eagle2 Well-Known Member

    Apr 27, 2011
    Likes Received:
    You need ports 5000, 5060, 5090 and 9000 - 9049 to make external extensions work and some providers eventually, especially those authorizing by IP address.

    Port 5000 is used for 3CX web services, incl. presence, chat, reports, remote config, etc. You may close this port, if you don't need this functionality. Specially hacker attacks to 3CX are focusing on this port try to break PBX or extension passwords. The risk in V.11 is significant.

    Port 5060 is absolutely necessary to be opened, otherwise no chance for external extension or VoIP provider to work, same applies for ports 9000-9049 (the voice itself), unless you use a tunnel (3CX one uses port 5090) or by other means (VPN by your router).

    Using a tunnel is much safer, in this case you need to open only port 5090 for 3CX phones or use a standard VPN solution for remote phones (PPTP, L2TP, IPsec, OpenVPN) -- recommended.

    For VoIP providers to work, you still need ports 5060 and 9000-9049, good practice is to create a white access list in your router for VoIP provider and to close ports for other source addresses, except 5090 for 3CX tunnel, if used. Also better to keep forbidden extension registration outside of LAN (in extension settings).

    If you follow general security guidelines, the 3CX system is safe enough to use, regardless of multiple attacks to ports 5060 (in general and 5000 in case of 3CX system and probably also to port 5090, nevertheless I haven't observed such attacks to port 5090).

    Consider also secure SIP and secure RTP for phones supporting it and conventional counter measures like restricted list of countries, allowed to dial to, restricting of outbound calls in out-of-office hours, strong passwords, email notifications for different events, etc. You need to understand a little bit about networking and firewalls to build a secure environment.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.