Security settings

Discussion in '3CX Phone System - General' started by ncg, Dec 13, 2016.

Thread Status:
Not open for further replies.
  1. ncg

    ncg

    Joined:
    Dec 13, 2016
    Messages:
    4
    Likes Received:
    0
    I've installed 3CX on a new Debian server from OVH following the instructions on this site. I've not used Debian before.

    What do I need to do to firewall it off. The 3CX firewall checker shows all the ports required are open - but does that mean there is no IPTables running? What do I need to do to secure the system before I connect my SIP trunks. What is best practice?

    Thank you!
     
  2. George_3cx

    George_3cx Guest

    Dear ncg,

    The pbx is secured by default with it's anti hacking module. If you want to implement a more strict security you can edit the rules of IPTables that is already installed by default on OVH Debian. You can allow access only to trusted by you ip addresses.
     
  3. ncg

    ncg

    Joined:
    Dec 13, 2016
    Messages:
    4
    Likes Received:
    0
    Hi George,

    Thanks for your reply. Is there any info anywhere that shows what the anti hacking module does?

    Presumably running a server on the open internet with no firewall is asking for trouble as in due course backdoors for Debian will appear and need patching and there may be issues with some of the other services running on the box. I'm guessing if someone acquired root access to the server they would then be able to gain access to my SIP account credentials, potentially generating a hefty phone bill.

    What would be a sensible set of firewall rules? And how can I set Debian to auto-update as security patches are released? Can apt-get do that? And is that recommended?
     
  4. George_3cx

    George_3cx Guest

    Dear ncg,

    The best resource for you to find out how the anti hacking module works you need to read the 3CX Advanced Training: 4. Security & Anti-Fraud. You can find the link below:

    http://www.3cx.com/3cxacademy/videos/advanced/security-with-3cx-phone-system/

    In order to use auto-update for the new patches for Debian you can read the below link about Unattended Upgrades:

    https://wiki.debian.org/UnattendedUpgrades

    A sensible set of firewall rules that you can implement is to block any inbound traffic that comes to the pbx from non trusted ip addresses and allow the traffic ONLY from your voip provider (port 5060 for sip and 9000-9255 RTP). If you have remote stun hosts(port 5060 for sip, port 9000-9255 for RTP, port 5001 for provisioning and presence) or if you have remote clients/SBCs that are using the 3cx tunnel you need to open port 5090 and 5001.
     
Thread Status:
Not open for further replies.