FOOD FOR THOUGHT Firewall Security 3CX and remote clients

J

Johann

Member
Joined
Feb 1, 2015
Messages
30
Reaction score
4
The 3CX app for android and apple looks great, but I am wondering about how you guys generally view the whole setup of remote mobile clients from a security perspective.
3CX box running behind a Sonicwall.

I just looked at the various ports I have to open on my firewall to make this work.
This is from the 3CX guide:

Remote Extensions via direct SIP
If you wish to connect remote extensions via direct SIP, you must open the following ports:
  • Port 5060.
  • Port 5061 if using secure SIP.
  • Port 9000-9255 for RTP.
  • Port 80 HTTP / 443 HTTPS for 3CXPhone Presence and HTTP provisioning. Note: HTTP and HTTPS ports can be configured during installation. If you have chosen to use ports other than 80/443 make sure to forward those.
Open port 5060 to the internet with no whitelisting of IP addresses in place, same with port 80 and 443, not sure this sounds like a workable solution to me, in fact more like a very risky one.

Or am I missing something here?
What do you think?
 
I am specifically interested in the security aspects of connecting remote clients.

Just making sure I understand how things are set up.

The remote client 3CX app connects to the 3CX PBX which is behind a NAT firewall, via the 3CX tunnel. This means that SIP signalling and RTP media are sent over a single port UDP/TCP 5090, which needs to be forwarded on my firewall to my PBX allowing traffic from any public IP.
So far so good.

How dangerous is it to have port 5090 open to the internet? I understand that the tunnel is protected via a password, but will I see hackers trying to exploit that open port, like it would be the case with port 5060? Trying to guess the tunnel password + a SIP extension and password?

Or maybe other exploits possible via TCP 5090?
 
If there is an open port, then anyone can attempt to exploit it. The 3CX firewall (?), however, is not static. It watches for and addresses attempted break-ins as I understand it.
 
Last edited:
Looks like 3CX uses some sort of internal blocking mechanism on failed SIP registrations (similar to Fail2Ban). You'll see them in your Event Log:
Code: 
The IP 107.167.229.86 has been blacklisted for 1800 sec. (Expires at: 2017/0614 10:59:14). Reason: Too many failed authentications!
 
That article shows how to blacklist and whitelist IP addresses, but it really doesn't shed any light on 3CX's anti-hacking auto-detection mechanisms which work quite well.

For cloud-based servers, we're working up a new version of TM3 for 3CX that includes whitelist with IP address and FQDN support, blacklist, IPtables, ipset for country blocking, Fail2Ban, and PortKnocker whitelisting.

** edited **
 
Last edited:
wardmundy said:
For cloud-based servers, we're working up a new version of TM3 for 3CX that includes whitelist with IP address and FQDN support, blacklist, IPtables, ipset for country blocking, Fail2Ban, and PortKnocker whitelisting.
Click to expand...

That is how it should be done. I also add User-Agent to that mix. If I know what softphone I'm using, and then add to that FQDN coupled with your country blocking, it becomes MUCH safer.
 
Last edited by a moderator:
krzykat said:
That is how it should be done. I also add User-Agent to that mix. If I know what softphone I'm using, and then add to that FQDN coupled with your country blocking, it becomes MUCH safer.
Click to expand...

3CX's Anti-Hacking module is already blocking known malicious user-agents. It comes with a default list but you can add more if you want.

That is under Settings -> Parameters -> SEC_IGNORE_USER_AGENT
 
I don't like all the open ports in order for 3cx to work.
Even after changing settings in the security module and the sec_ignore_user_agent, still getting many log entries of failed authentication attempts etc.
Did not have this issue with PIAF and Incredible (no port forwarding needed). My router dropped all these attempts thus reducing the local network traffic and pbx load
 
islandtech said:
I don't like all the open ports in order for 3cx to work.
Click to expand...

Are you doing the tunneling thing via port 5090?

I don't feel comfortable with having any port open to the internet without whitelisting IP addresses, which is of course impossible with roaming cell phones and changing IP addresses.

No wonder you are getting failed login attempts. I wouldn't want to just there and simply hope for those hack attempts to never be successful.

The best thing would be if those remote client apps had OpenVPN built into them. This way they could connect to a VPN server on our network.
Second best would be a DDNS client running on the mobile client, updating IP addresses regularly and we would open port 5090 on the firewall but white list FQDNs belonging to our remote clients.
 
Don't have any remote extensions
Just installed and getting familiar with 3cx.
 
NeoRouter VPN is much easier to configure than OpenVPN, and we plan to add it down the road as well.
 
You must log in or register to reply here.

Members online

Total: 30 (members: 1, guests: 29)

Latest Posts

Forum statistics

Threads
26,696
Messages
174,453
Members
20,265
Latest member
irenelanda64
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top