FOOD FOR THOUGHT Firewall Security 3CX and remote clients

Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
Can you elaborate why you think this is a drawback?
My point was that Neorouter doesn't. Restated I could have said Neorouter maybe simpler but OpenVPN is native to the Yealink which is in it's favor.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
3CX in the Cloud: 8 Great Ways to Secure Your Server

DDApj3-UQAAxyru.jpg

Photo credit: Colin Anderson/GettyImages
 
Last edited:

BoomSchtick

New Member
Joined
Aug 17, 2017
Messages
2
Reaction score
1
I personally have no problems opening up 5090 to the internet for the ability of the mobile and desktop clients to use. This is a proprietary protocol that I would think very few people in the world would know what to do with even if they did brute force a login.

5060 however is a completely story. 5060 is incredibly well known and the script kiddies try to exploit it ALL the time! I have my 3cx install in a Digital Ocean VPS. These are the ports that I allow to only my SIP provider and my work sites:

udp/9000-9255
udp/5060
tcp/5000

For my SIP provider only, I allow access to all udp ports.

I've had great success with these firewall rules and I think it's fairly secure. I'm on the fence for 80/443. If people like using the web portal then I may have to leave it open, but I'd like to shut that down too.

Edit: I just realized that the 3cx softphones can't run on 5090 alone. They also require port 443. Bummer.
 
Last edited:

Johann

Member
Joined
Feb 1, 2015
Messages
30
Reaction score
4
They also require port 443
But only for provisioning, not for calls, right?

Maybe I am just paranoid, but I wouldn't feel terribly comfortable leaving port 5090 open to the Internet without whitelisted IP addresses either, cause even though it's a proprietary protocol and that port is far less exploited than 5060, who says that it will always stay that way.
3cx is quite popular and hackers might want to focus on that a bit more.
 

BoomSchtick

New Member
Joined
Aug 17, 2017
Messages
2
Reaction score
1
But only for provisioning, not for calls, right?

Maybe I am just paranoid, but I wouldn't feel terribly comfortable leaving port 5090 open to the Internet without whitelisted IP addresses either, cause even though it's a proprietary protocol and that port is far less exploited than 5060, who says that it will always stay that way.
3cx is quite popular and hackers might want to focus on that a bit more.

On my Windows and iOS clients, the softphone will not register if 443 is closed. So if the phone doesn't register, then it won't be able to make calls.

If you don't open up 5090 or 443, then you won't have mobile clients. If that works for your business, then that's great. I know that the company that I work for expects to have that functionality.

One of the good things about running the VPS in Digital Ocean's cloud is that even if the server is compromised, just about the worst thing that can happen is that they can rack up bogus phone charges. There is zero danger to my production work network.
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
I'm just starting down the 3cx path. Currently running Incredible PBX 4.11.3 RasPBX with a VoIP provider for inbound and outbound calls.

Now RasPBX doesn't require any forwarded ports and I can make and receive calls over the VoIP trunk.

How then do I keep my RaspPBX running while experimenting with my 3cx install if I need to forward ports 5060 and 5061 to the 3cx server? 5060 is currently use (without forwarding) on the RasPBX?
My internet gateway is SME Server.
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247

Begreenbxl

New Member
Joined
Dec 16, 2015
Messages
10
Reaction score
1
Thanks Ward,
That’s an alternative worth looking into but I’m on the other side of the world and the latency will be a showstopper. The cheapest server I can get here is closer to USD20 per month.

I'm Sydney based and use Vultr. They have local Sydney servers, been using them since almost a year now and never had any concern or latency troubles. I often have calls to Asia, Europe and US... no difference whatsoever, quality consistently good. The only problem I encounter is the speed and quality of my own internet connection. Anyone living in Australia just knows what I'm talking about :)
Vultr is quite cheap at +/- 6.25 AUD/month.
Ward used to have a referral for them, but they also occasionally have promos for new customers.
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top