RECOMMENDATIONS Firewall and security settings

ncg

Member
Joined
Jan 19, 2009
Messages
60
Reaction score
6
Partly because of old versions of PIAF I've been a very occasional CentOS user and I've never used Debian before.

I've installed PIAF5 / 3CX on a Debian VPS recommended by 3CX at OVH. It's local and cheap. (Sorry Ward!)

The installation works and passes the built in 3CX firewall test - but I'm guessing that is checking the necessary ports are open and not checking the machine is secure. Is that correct?

How do I ensure the server is secure? What do I need to do to lock it down? By default does the Debian installation provision in a safe way, or does it have no firewall turned on at all?

PIAF has always been hot on VOIP security so I'd welcome advice from the community and/or Nick at 3CX. Is there a resource for this I have missed?
 

ncg

Member
Joined
Jan 19, 2009
Messages
60
Reaction score
6
If anyone else has the same question this might help. I posted on the 3cx forum when I got no reply here. A 3CX staff member replied:

The pbx is secured by default with it's anti hacking module. If you want to implement a more strict security you can edit the rules of IPTables that is already installed by default on OVH Debian. You can allow access only to trusted by you ip addresses.

I asked for more, and he replied more substantively:

The best resource for you to find out how the anti hacking module works you need to read the 3CX Advanced Training: 4. Security & Anti-Fraud. You can find the link below:
In order to use auto-update for the new patches for Debian you can read the below link about Unattended Upgrades:
A sensible set of firewall rules that you can implement is to block any inbound traffic that comes to the pbx from non trusted ip addresses and allow the traffic ONLY from your voip provider (port 5060 for sip and 9000-9255 RTP). If you have remote stun hosts(port 5060 for sip, port 9000-9255 for RTP, port 5001 for provisioning and presence) or if you have remote clients/SBCs that are using the 3cx tunnel you need to open port 5090 and 5001.

I wonder if this is an area where PBX in a Flash could add some value?
 

prattmd2

Member
Joined
Jun 30, 2014
Messages
133
Reaction score
17
ok, still trying to figure this out
1. Edgemax router
2. SIP ALG disabled
3. ports forwarded to 3cx (all public ips accepted, so this scares me)
4. upon reboot of 3cx, no incoming call works UNTIL I make an outgoing call OR I run the firewall checker
it is almost like the sip packets dont know where to go inside the LAN until this happens

Any ideas?
 

YiannisH

Member
Support Team
Joined
Oct 25, 2016
Messages
61
Reaction score
12
Does the firewall checker pass when you run it and is port 5060 open? The following guide contains all the ports that need to be forwarded for the PBX to function normally.
https://www.3cx.com/docs/ports/
If 5060 is closed it could be that your firewall has some sort of port preservation and after you make an outbound call or the firewall checker runs the firewall keeps 5060 open for an X amount of time
 

prattmd2

Member
Joined
Jun 30, 2014
Messages
133
Reaction score
17
i am trying to prevent having to "re-establish" connectivity if the server is rebooted or power outage, etc without making a call or running port checker

Just wondering if I am missing something simple
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top