8 Actions to Secure Your Phone System with 3CX

October 27, 2020 by Ying-Hui Chen

The rise of remote work has brought opportunities to hackers. VoIP Supply and 3CX co-host a monthly webinar to help our 3CXresellers stay on top of the latest updates/ This month, we focused on the measures you can take to secure your phone system! Let’s take a quick glance at the eight actions you can take immediately:

Download our 3CX webinar presentation slides to learn more!

Snom also joined us to talk about their D120 and D7XX Series IP Phones and more. Click here to see the slides.

#1 SIP Authentication 

Setting up your SIP authentication is the first step! The default setting requires a random 10 character alphanumeric SIP ID and password; however, you can secure further with more characters (up to 50) 

#2 Extension Security: Voicemail PIN 

Do you have PIN numbers for your voicemail? One you enable the default setting, you can set up a random 4-digits of numeric PIN and the system gives you 3 failed attempts. If you don’t need voicemail at all, it’s better to disable the function. 

You can also make your voicemail more secure by increasing the PIN digit length (up to 10)

#3 Extension Security: Security Settings 

Check out more security settings you can change to protect your system here:

  • Disable Extension for unused extensions 
  • Disable External calls. Only internal calls possible 
  •  PIN Protect. Allow external calls only after entry of Voicemail PIN (Example: 777) 
  • Prevent extensions from REGISTERing from outside the Local LAN 
  • Prevent Apps from connecting from external locations through the tunnel 
  • Block outbound calls outside office hours. Cleaners etc

#4 Allowed Country Codes 

Set allowed country codes to specify to which countries your calls are allowed to be made. Follow these steps:

→ Settings → Security → Allowed Country Codes 

→ Specifies to which countries calls are allowed to be made 

→ Uses International Dialing Code from E164 settings

→ Match after Outbound Rule reformatting 

→ Must match exactly to be effective

#5 Configure Secure SIP 

→ Settings → Security → Secure SIP 

→ Certificates pre-configured for 3CX FQDNs 

→ Provision telephones in sSIP mode (Manually) 

→ Attention: Secure SIP uses TCP port 5061 (Default) 

  • 3CX App for Windows 

→ Extension → Phone Provisioning → SIP Transport = TLS

#6 SRTP 

  • Encryption of audio streams (RTP) 

→ from and to an active extension 

→ Using crypto keys 

→ Must be activated on Extension & IP Phone (useless without sSIP) 

  • Setup of sRTP IP Phones 

→ Enable sRTP via the Web UI of Phones 

  • 3CX App for Windows 

→ RTP Mode = Only Secure

#7 Anti-Hacking Options 

There are more anti-hacking actions you can take:

  • Failed Authentication Protection 

→ Specify the amount of failed Authentication Attempts

→ Once Exceeded → Blacklisted 

○ Default → 25 attempts 

You can also secure your system further by reducing the number of attempts allowed (min 3). Just be careful that reducing too much may cause legitimate extensions to be Blacklisted!

  • Failed Challenge Requests 

→ Specify the amount of Unchallenged 407 Authentication Requests 

→ Once Exceeded → Blacklisted 

The default gives you 1000 attempts but again, you can alter this number to reduce attempts allowed (min 100).

  • Protects against packet floods 
  • Split into 3 levels/barriers 

→ Below Amber = no action 

→ Amber Barrier reached = 5 seconds (throttling) 

→ Red Barrier reached = Blacklist interval 

  • Blacklist Time Interval 

→ Once IP is Blacklisted by Anti-Hacking Options 

→ Remains Blacklisted for the number of seconds specified 

The default number is 86400 s (24 hrs). You can increase value upto a maximum of 1,000,000,000 s (~11,574 days or 31.7 years).

#8 IP Blacklist 

Block out unwanted guests by adding their IP address to a blacklist:

→ Dashboard → IP Blacklist 

○ When Anti-Hacking criteria are met 

→ IPs of ‘perpetrators’ are added 

→ Default Global Blacklist Time Interval 

You may also manually set up the Blacklist / Whitelist IPs to deny and/or allow certain IPs.

Ready to learn more? Download our Presentation Slides to Learn More Do’s and Don’ts! Visit our 3CX product pages or visit VoIPSupply’s 3CX Page to get more information.

Don’t forget to register for our next 3CX reseller webinar! Click here to register today.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.