How Can you Secure your Phone System With 3CX

Using the appliance industry to examine critical metrics, real-time data, and trends over time give small business owners a competitive advantage in the remaining and relevant.

3CX Phone System can receive an incoming call request from the outside in (Inbound Call) or request an alternative exit from the inside to the outside (Outbound call).

Does your website need more links, the better the content, or needs a facelift SEO altogether? Using the tools above and performing a mass of research on this topic can make all the world changes for your small business.

Inbound Link

Inbound calls can have an entity as a destination with the 3CX Phone System. The first of the two exceptions provided for this rule is if you have a forwarding rule to send incoming calls to an external number, but this would be a deliberate arrangement in a forwarding extension. The other exception is a call coming from another installation of 3CX PBX bridged. If you do not have the configured bridge, you can exclude this exclusion from your investigation. We can also ignore this because if you secure both the PBX on both sides of the bridge to the right, then the communication between them must be the kind of traffic we can trust.

Outbound Calls-

External Caller Using Remote Calling Features of Voicemail System

An external user calls in (at this stage still Inbound Calls), achieving the Digital receptionist, and pressing option to send him to the Special Voicemail Menu (default "999" in 3-digit installed).

He can also get there via the Digital Receptionist Extensions Bypass feature by dialing a special Voicemail menu directly in front Digital prompt. Here caller dials a valid extension, at which point the PBX will request a PIN. The caller's PIN to dial an extension number, and if applicable, the caller is authenticated as the extension number. The callers will be directed to the main menu, Voice Mail. 

This attack mode can be exploited by using the dialer automatically exit using a brute-force attack or dictionary attack against a combination Extension_Number / PIN. Brute force attack requires more effort to achieve this and usually will cost call rates attacker more than he can get - as long as you regularly force users to change their PINs.

You can defend yourself from attack mode by merely disabling the feature. If you need to retain features, a random length PIN is a must. Establish policies for the extension user to change the PIN periodically, and disable Voicemail functionality for those who do not need the extension number. Also, delete the extension number that is no longer required for the system.

What are some Actionable Tips To Secure the phone With 3cx?

v SIP Authentication-

Setting up your SIP authentication is the first step! The default setting requires a ten character random alphanumeric SIP ID and password; However, you can secure further with more characters (up to 50)

v Allow country code

Set the country code is allowed to determine which country the call you are allowed to do. Follow these steps:

→ Settings → Security → Allowed Country Code

→ Deciding on which country the call is allowed to be made

→ Using the International Dialing Code of E164 settings

→ Outbound Rule Match after reformatting

→ Must be exactly effective


Encryption of audio stream (RTP)

→ from and to the active extension

→ Using the crypto key

→ Must be enabled in Extension & IP Phone (useless without sSIP)

v SRTP Setup IP Phones

→ Enable SRTP through Web UI of Phones

3CX App for Windows

→ RTP mode = Only Safe


v Extension Security

Do you have a PIN for your voice mail? Once you activate the default settings, you can set up a random four-digit numeric PIN, and the system gives three failed attempts. If you do not have a voice message at all, it is better to disable the function.

You can also make your voice messages more secure by increasing the length digit PIN (up to 10).

v Blacklist IP

Blocking unwanted guests by adding their IP addresses to the blacklist:

Dashboard → → IP Blacklist

○ When the criteria are met Anti-Hacking

→ IP of 'actors' added.

→ global Standard Time Interval Blacklist

You can also manually set the Blacklist / Whitelist IP to refuse and/or allow specific IP.

v Secure SIP configuration

→ Settings → Security → Secure SIP

→ Certificate of pre-configured for 3CX FQDNs

→ Provision phone in sSIP mode (manual)

→ Attention: secure SIP uses TCP port 5061 (default)

3CX App for Windows

Extensions → → → Transport SIP Phone Provisioning = TLS

There are more anti-hacking measures you can take:

v Protection Authentication failed

→ Specify the number of failed authentication attempts

→ After Exceeding → Blacklist

○ default → 25 attempts

You can also secure your system further by reducing the number of attempts allowed (3 min). Just beware that cutting too much can cause a legitimate extension to be Blacklisted!

Author Bio