The 3CX Global Blacklist is enabled by default in all 3CX installations and effectively blocks numerous known malicious IP addresses and ranges, providing protection against attacks.
The main concern arises with installations that have this feature disabled. Please ensure that yours is not one of them. When disabled, your event logs will capture records of blacklisting events and failed authentication attempts from fake SIP user agents like Polycom VVX, Asterisk, Avaya, and others. In fact, you may be observing various scanning bots attempting to brute-force your SIP extensions.
These attacks can originate from VPNs, compromised hosts, or even from legitimate service providers’ servers and appliances. When misconfigured, these can act as open SIP relays, allowing attackers to send REGISTER messages to your systems while masking their true location behind third-party services.
Firewall Port Restrictions.
Your Firewall ports should be limited to only what is needed for the PBX to function.
Exposure of Phone Web UI
Phones have their user interface accessible from external networks, often enabled by an administrator to allow remote access via HTTP/HTTPS ports. This practice should be avoided entirely. Allowing external access to user interface ports introduces several risks, particularly if:
- Vendor firmware is not regularly updated
- Weak passwords are used
- Zero-day vulnerabilities for specific models/versions are discovered and exploited
- Exposed devices are identified using tools like Shodan
User endpoints should remain behind NAT and not be directly accessible from the internet. If remote access is necessary, consider setting up a temporary administration tool on a single workstation to connect to the local endpoint.
Unfiltered SSH Access
Leaving the default Linux SSH port (TCP 22) unfiltered can lead to ongoing brute-force attacks. This can be easily observed in your machine's Syslog auth.log file, which will grow due to numerous failed login attempts from various public IP addresses.
Keep 3CX Servers Isolated
Running third-party tools on the same server as your 3CX system can increase your attack surface. These tools may introduce additional web servers and services that listen on new ports, making them vulnerable to external threats.
In summary, it's essential to implement strict filtering with appropriate ACL and firewall rules.
Lock down your Management console!
Under Security -> Console restrictions, you can add what IPs can connect to the admin page of 3CX.
Anyone else, even with the correct credentials, would be blocked from connecting. Note you will need a public Static IP for this.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article