Water-tight security for 3CX

Let me clarify first. This is not another how-to-secure-your-PBX document. 3CX is a very secure system by default. You need not do anything to secure it in an ordinary environment, it is secure. This document is for those who need water-tight security, not to give a chance to hackers.

Steps.

1- Change default ports 5000 5001 and 5090 to some random numbers.

Why do we need default port numbers? Because, if the public on the internet service needs to access our server, they need to know our IP and port. Like if we host a web server with port 80/443, or host an email server with port 25, etc, anyone from the internet can access those servers.

Now, if the server we host is not meant for public access why should we have a common/default port. We need not. And we should not.

To find a 3CX service to hack, hackers generally use automated programs, which scan IPs to find whether port 5001 or 5090 is open or not. If they find any IP with 5001 or 5090 open, they go for the next step.

Changing default ports means, you have already stopped 99% of attempts even before starting.

2-Close port 5060

3CX installations, rarely, require port 5060 to open. So make sure you close it. Most probable and dangerous attacks come through 5060. You rarely use 5060 for provisioning desk phones through the internet. Either use VPN or restrict access using IP filters

3- Geo-fence the firewall.

You all know that hacking always comes from certain countries. I'm not going to name them. Use geofencing on the firewall and stop any inbound traffic from those countries. Most firewalls support geo-fencing

4- Allow only required countries on "Allowed country codes" on 3CX

5- On 3CX Security -> Anti-hacking reduce "Failed authentication protection" to 3. That blocks anyone from guessing your password more than thrice.

6- Reduce "Failed Challenge Requests"

7- Don't use most guessable extension/user like 001,0001,100,1000,101,1001 etc. If you alrady have it, simply disable or delete it.

8- Allow admin console from internal network only ( 10.x.x.x , 192.168.x.x. and 172.16.x.x )

9- Allow external access to only users who need to work from outside.

10- Password must be the most complicated - should I say that?

The first three points should make your 3CX water-tight. You may not need the remaining. You can check the log before and after implementing the first three steps. You will see a significant reduction.

We at claudion.com have hosted many 3CX instances and continuously monitored hacking attempts. The moment you open ports 5001 or 5090 attempt starts appearing. Once you change it into any other random numbers, all gone.

Technically, hackers can scan all the ports to find your 3CX. But it is a practically impossible scenario. Also, most firewalls stop port scanning momentarily.

If you have more suggestions, please let us know. We will update this document