This project implements a Session Border Controller (SBC) using Kamailio/OpenSIPS in Docker for securing 3CX phone systems. The Kamailio SBC for 3CX solution handles SIP traffic routing, RTPEngine for media relay, fail2ban SSH hardening, UFW firewall configuration, and automated SSL certificate management , all deployed on Ubuntu 22.04 as a hardened SIP security layer between the public internet and the PBX.
Why a Kamailio SBC for 3CX
Exposing a 3CX PBX directly to the internet invites SIP scanning, brute-force registration attacks, and toll fraud. A Session Border Controller acts as a security gateway , all SIP traffic passes through the SBC, which handles authentication, rate limiting, and media relay. The PBX itself never sees raw internet traffic, dramatically reducing the attack surface.
Architecture
- Kamailio/OpenSIPS , SIP proxy handling registration, authentication, and call routing between public endpoints and 3CX
- RTPEngine , kernel-level media relay for RTP streams, reducing latency and enabling NAT traversal
- Docker Compose , containerized deployment for reproducibility and easy updates
- Fail2Ban + UFW , SSH protection and port-level firewall with SIP-specific rules
- Automated SSL , certificate management for TLS SIP connections
Deployment Stack
- OS: Ubuntu 22.04 LTS (hardened)
- SIP Proxy: Kamailio with MySQL modules, auth, JSON, and extra modules
- Media: RTPEngine for kernel-space RTP forwarding
- PBX: 3CX (Windows and Linux deployments supported)
- Security: Custom SSH port, fail2ban, UFW, TLS for SIP
- Deployment: Docker Compose with automated install script
Security Hardening
The installation script handles complete server hardening: SSH port change, fail2ban for brute-force protection, UFW with SIP-specific port rules, NTP synchronization, and Kamailio’s built-in anti-flood mechanisms. The dialplan, htable, and subscriber configurations provide fine-grained call routing control. This layered approach reflects my experience securing infrastructure for enterprise clients.
Practical Application
As a Fractional CTO, I deploy this SBC configuration for clients running 3CX in production. One deployment protects a 200-extension 3CX system handling international calls , the SBC reduced SIP attack attempts from thousands per day to zero reaching the PBX, while RTPEngine eliminated one-way audio issues caused by complex NAT topologies.
The deployment scripts and configuration are available upon request. Contact me for access or security consulting.
FAQ
Does this work with 3CX v20?
Yes. The SBC is protocol-level , it routes SIP traffic regardless of 3CX version. Both Windows and Linux 3CX deployments are supported.
Why Kamailio over the built-in 3CX SBC?
Greater control over security policies, SIP manipulation, rate limiting, and media relay. Kamailio’s htable and dialplan modules provide flexibility that the built-in SBC lacks.
What about call quality with RTPEngine?
RTPEngine operates at kernel level, adding minimal latency (sub-millisecond). It actually improves quality by solving NAT traversal issues that cause one-way audio.
Can it handle high call volumes?
Kamailio handles thousands of concurrent calls on modest hardware. With kernel-space RTPEngine, a single server easily supports 500+ simultaneous media streams.
