MyPBX Security Configuration Guide (Part 1)--Ports and Password Enhancement

Ports and password are most important for security. We recommend changing the default ports and password.

1.1 Web Server(HTTP)

1.1.1 Change the Default HTTP Bind Port
Path: PBX--Basic Settings--General Preferences--Web Server

We can change it to another one like 8080 for example.

1.1.2 Change the Default Password
Path: System--System Preferences--Password Settings

A strong password needs to be configured here for all accounts. Especially for account ‍“admin” and ‍“user”.

1.2 Web Server (HTTPS)*
HTTPS (HTTP over SSL or HTTP Secure) encrypts and user page requests as well as the pages that are returned by the Web server. The use of HTTPS protects against man-in-the-middle attacks. HTTPS has been supported since firmware version X.19.X.X.
We can enable HTTPS and change the default port to protect MyPBX from being attacked via Web.
Path: PBX--Basic Settings--General Preferences--Web Server

After HTTPS is enabled, users are able to log in MyPBX Web GUI via HTTPS.

1.3 Extension
Hackers are always sending packages to PBX to register extension before dialing out. Extension’s security is very important for users.

1.3.1 Change the Default SIP Port
Path: PBX--Advanced Settings--SIP Settings--General--UDP Port

We recommend changing this to another available port, for example: 5080.

1.3.2 Random Password for Extension*
In the previous versions (before X.19.X.X), the default password of the extension is ‍“pincode + extension number”. A password with upper and lower letters and numbers is recommended to change to, for example: AjK5Up1G.
While, in the new firmware version (after X.19.X.X), random passwords are generated for newly created extensions. The random passwords are all strong enough with upper and lower letters and numbers.

Note: a strong password is a MUST for remote extensions.

1.3.3. IP Restriction for Extension
Path: PBX--Extensions--FXS/VoIP Extensions--VoIP Extensions--Other Settings--IP Restriction
When it’s configured, only the permitted IP can register this extension. All the other registry requests will be denied.
The format is “IP address/Subnet mask”, e.g. 192.168.5.136/255.255.255.255. In this way, only 192.168.5.136 can register this extension 6010.

Note: if it’s for remote extension, a static public IP address is needed to input instead.

1.3.4 "Register Name" for Extension*
The "Register Name" option is for extension authorization, which will enhance the extension registry security. Users will not be able register the extension if the authorization name is incorrect even though the username and password are correct. For example, we set "Register Name" as "abcd" for extension 300, we have to set authorization name "abcd" on the soft phone or IP phone to make the extension successfully registered.  
It is recommended to set the "Register Name" for extension and then take it to register the extension.




1.3.5 Security Configuration for Remote Extensions
Path: PBX--Extensions--FXS/VoIP Extensions--VoIP Extensions--General
Enable ‍“NAT” and ‍“Register Remotely” like the picture shown below.

Note:
1.If remote registration isn’t required, please disable it.
2.If extensions register to MyPBX via WAN port, please enable only ‍“Register Remotely”.

1.3.6 TLS registry (Optional)
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. They use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity. Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and Voice-over-IP (VoIP).

TLS is supported in MyPBX for security SIP registry; you can also register SIP trunks to VoIP providers via TLS. We need to upload the certificate into MyPBX and the IP phones together for authorization. Hackers send the register request to PBX for registry via UDP generally. If TLS is enabled in MyPBX, hacker will not be able to register extension without the CA, and the registry request will be refused directly.
Refer to Appendix I to get the detailed steps of how to use TLS in MyPBX.

Note: TLS is disabled in MyPBX by default; we need to enable it in ‍“SIP settings” page in advance before using it.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.