Tip:
Highlight text to annotate it
X
This video will explain the various
security configurations for MyPBX in details.
Take MyPBX U200 as an example. The version number is 19.
For configurations of other models and versions of MyPBX,
also refer to this video.
There are two ways to secure the Web GUI.
Firstly, change the "HTTP Bind Port".
In "Web Server", enable "HTTP",
and change the default "HTTP Bind Port" 80 to other number.
Reboot the device after the change.
Relog in the Web interface.
This time, enter a colon and the HTTP Bind Port
following the IP address of MyPBX.
In version 19,
MyPBX also supports "HTTPS" to secure communication.
We can enable it,
We can enable it, and change the Bind Port.
Also reboot the device afterwards.
Now log in with "https", followed by the IP address,
a colon and the bind port.
Secondly, we need to change the login password.
In "Password Settings" page. Choose a "User", for example, the "admin".
Enter the old password and the new one.
Click "Save".
The page will jump to the login page.
Use the new password to log in.
Next, we will secure the VoIP extensions.
First of all, we can change the UDP port.
Enter "SIP Settings" page. Under the "General" column,
change the "UDP Port".
The UDP port of IP phones must be changed
to correspond to that of the MyPBX.
Password is also crucial.
So we enter the extensions edit page.
In version 19, the password for newly created extension is no longer "pincode
and extension number". A complicated and random password will be generated.
You can change it to make it memorable but still complicated.
A combination of uppercase and lower case letters and numbers it's recommended.
Under "Other Settings", we can also enable "IP Restriction"
to allow only certain IP to access this extension.
In "Permitted 'IP address/Subnet mask'",
enter the IP address, followed by the slash and the subnet mask.
In this way,
only the IP phone or softphone whose IP address
is 192.168.5.149 can register and use this extension.
You can also enter this set to allow IP phones
and softphones whose IP fall into 192.168.0
to register and use this extension.
Back to "General" tab. Let's see the "VoIP Settings" column.
When registering remote extensions,
"NAT" and "Register Remotely" need to be checked.
If extension is registered through WAN port,
only "Register Remotely" needs to be checked.
If no remote registration is required,
the two options should not be checked.
Before configuring Firewall, it is recommended that a system backup is stored.
Now we will configure the firewall step by step
Step 1, enable Firewall.
Step 2, add a common rule to allow local network access.
Fill in the "Name" and "Description".
In the dropdown list of "Protocol", choose "BOTH".
And enter the "Port".
The initial port is on the left, and the end port on the right.
The end port number should be equal to or larger than the initial.
Then enter the IP address and subnet mask.
Set the "Action" to "Accept".
This rule will allow MyPBX to accept UDP or TCP packets from this range.
Step 3, add common rules to allow remote network access.
In "IP", enter the allowed public IP address.
This rule will allow MyPBX to accept packets
from this public IP address.
The above configuration applies to static IP address of a remote device.
if the IP address its dynamic then there's no need configuring this.
But "Drop all" should not be checked in this case.
We recommend using static IP address for remote devices.
Step 4, add common rules to allow VoIP service provider to access.
The ports used to contact the SIP provider is UDP 5060 and RTP 10000-12000 by default.
So we need to add two rules to allow MyPBX receiving packages from providers.
Allow package from UDP port first.
The "Protocol" is UDP. In both columns of "Port", enter 5060.
In "IP", enter the static IP address of service provider.
The "Action" is "Accept".
Then allow package from RTP.
The "Protocol" is still UDP.
The port starts with 10000 and ends with 12000.
Enter the IP address.
And choose "Accept".
If the IP address is dynamic, we need to configure a rule to allow all RTP packages.
Enter 0.0.0.0 in "IP" and subnet mask.
In this way, one-way voice issues can be avoided.
Step 5, block Web attack from IP addresses that are not allowed.
Many attacks against MyPBX are Web attacks,
so it is recommended that the untrusted IP address are blocked from accessing MyPBX.
In "Protocol", choose "BOTH",
enter 80 and 80 in the "Port" field.
The "IP" and the subnet mask are both 0.0.0.0.
Choose "Drop" in "Action".
In this way, except for the IP that is allowed in previous Step 2 and 3, other IP will not be allowed to send packets to MyPBX.
Step 6, add common rules to accept the static public IP range of NTP, SMTP, and POP server.
SMTP is the server that sends mails.
In "Port", enter 1 on the left, and 65535 on the right.
This will open all ports for SMTP server.
In "IP", enter the static IP address of SMTP server.
And the "Action" is "Accept".
Next set up a rule for POP server, which is used to receive mails.
NTP server is used for clock synchronization of MyPBX over networks.
Next, set up a rule for STUN server.
If the IP addresses of the above four servers are dynamic, no rule need to be set.
But the "IP Blacklist" rule should be kept. And "Drop all" should be disabled.
Step 7, set up auto defense rules.
In "Port", enter the port number,
choose the protocol,
and set the "Rate".
The rule means if certain IP is sending packets to
port 8022 exceeding the rate 120 per second,
MyPBX will drag the IP into the blacklist.
MyPBX has 3 factory default auto defense rules, which are listed in "IP Blacklist".
It is recommended that the 3 rules are kept.
Step 8, enable "Drop All".
If this option is enabled, all UDP packets or TCP connections that violate the defense rules will be dropped.
Before enabling this option, please create a rule to accept the local network access.
After enabling "Drop All", the rules of auto defense and IP blacklist will not take effect.
If "Drop All" is not enabled, please don't remove the IP blacklist rules in case the system security hole exists.
Click "SIP Settings",
and "Advanced Settings".
Please keep the default "No" for "Allow Guest" option.
If "Yes" is selected otherwise, the system will allow unauthorized user to connect and make guest call.
Enter "LAN Settings" page.
The "Enable SSH" option is disabled by default.
If no external debugging is required, please keep the default setting.
We also need to change password of SSH.
Enable SSH first.
Use Putty to log in MyPBX.
Type the default username: "root".
Press enter key, and fill in password: "ys123456".
Press enter again.
Next, type the command "passwd", and press enter.
Now type a new password, press enter, then retype the new password.
When "Alert Settings" is enabled, if the device is attacked, the system will alert users via call or e-mail.
The attack modes include IP attack and Web Login.
See "IPATTACK" first.
In "Phone Notification", choose "Yes".
In "Number", enter multiple extension numbers or
external numbers. Divide the numbers with semi-colon.
The external number should match the dial patterns of outbound routes.
"Attempts" defines how many times the system will try to dial when the number is not answered.
"Intervals" defines the interval between each attempt.
Last, choose the prompt that will be played. You can customize prompts.
See "Email Notification". Enable it first.
Enter the email address in the "To" field.
If there are multiple ones, divide them by semi-colon.
Then enter subject.
Click save to complete the configuration.
Next, see "WEBLOGIN".
When logging in MyPBX Web interface, entering the wrong password
consecutively for five times will be deemed as attack.
The system will ban the IP from login within 10 minutes and notify the user.
The phone notification and email notification settings are the same with the IPATTACK alert.
You can ask your VoIP/PSTN/ISDN provider to limit the credit of international calls in advance.
You can also ask them to disable international calls if you do not need it.
We can create an outbound route for making international calls.
And the outbound route will have a password.
Click "PIN Settings" and configure a password.
Go back to the outbound rote page,
and in "Password" choose the one that was just created.
Then move the extensions that will be allowed to make international calls to the "selected",
and select the trunks.
Click "Save".
Use an extension that has the permission to dial an international number,
follow the prompt and enter the password.
The call is connected.
If your provider cannot disable international calls, we can configure the rules in MyPBX side to drop all the international calls.
Step 1, create an invalid Service Provider trunk.
In "Hostname/IP", enter an invalid IP address,
and click Save
Step 2, create an outbound route.
Select all the extensions,
and move the invalid trunk to "Selected".
Click "Save.
In this way, all international call requests will be routed to this invalid trunk and be dropped directly.