With the introduction of the new V9 3CX PBX we decided to add some extra security to the PBX. This new feature is called the “3CX Anti-Hacking” and located under Settings/Advanced/Anti-hacking tab.
It’s main purpose is to block any malicious attacks targeted to the 3CX Phone System server in case the administrator has not taken the needed precautions at firewall level. It works by detecting and blocking packet floods / DoS attacks or brute force dictionary attacks with the scope of identifying and cracking the extension number and the password.
The above shows the main interface of the 3CX Anti Hacking configuration page. This is accessible by clicking on the Settings node, Advanced section, Anti-Hacking tab.
Failed Authentication Protection
This is a protection in case the attacker tries to use a dictionary attack to guess the password set for a particular extension. To do this the attacker has to send numerous invites and after the server sends a “Proxy authentication Required message” the attacker will send an invite with authentication. With this feature, the attacker can only send 25 requests in an attempt to crack the password. However the administrator should not leave the password for extension 100, 100 because the attacker will guess this in seconds and this protection will be useless. If the password is 6 digits long for example, the attacker needs much more than 25 attempts to crack it. This is when this feature comes in handy. If an IP Address spams the 3CX Phone System with 25 wrong Authentication attempts, that IP address will be blocked and put in the blacklist for the time specified in the “Blacklist time interval” parameter – Default 30 minutes.
Blacklist time interval – Default 1800 seconds (30 min)
This option specifies the amount of time that an attacker’s IP will remain blacklisted for. By default, this value is set to 30 minutes just like major VoIP Providers do if they receive too many registration attempts from a specific IP.
Security Barrier 1 – Green
This is like the Green Line in a battlefield. This period of 200 milliseconds is monitored by the Anti Hacking algorithm in the 3CX Phone System server and packets / requests are counted but no action is taken. This is also to favor any lawful devices in your network and to give a burst of initial relaxation to actually be able to be productive in a real time environment. The counting here starts after INVITE/REGISTER is received.
Security Barrier 2 – Amber
This is the second layer of protection. Here you can specify how many packets can be sent from a source IP address. The default value is 2000 packets per second. If an IP Address is sending more than 2000 packets per second, that means that there is something wrong. At this point the Anti Hacking algorithm still tries to treat this as a lawful device and will send a 503 message “Too many requests resend after 5 seconds”. Of course an attacker will not parse the 503 packet because if it gets parsed, it will be an infinite loop and keep on spamming. The attack will be blocked eventually at the last barrier. You can reduce this packet rate per second but we must note that for busy systems, and ISDN E1 gateways with 4 E1 ports, this is actually possible to reach.
Security Barrier 3 – Red
This is the final protection layer in packets per second. If an IP sends more packets than the amount specified per second, it will get blacklisted for the blacklist interval. Default value is 4000 packets per second. At this layer, no device/IP is treated as lawful device. The moment that packet rate exceeds this layer, the blacklist is enforced.
Things to note / Additional information
- Always set a strong authentication ID and Password on your extensions, bridges, tunnel connections and Fax Extension.
- If you have a SiP Phone, PSTN gateway or any other device with a wrongly configured password, this will get blacklisted if it sends more than 25 authentication requests. So make sure that all gateways and devices are configured properly.
- Direct SIP is a very tricky part in security because direct sip calls do not require authentication. So if you do not intend to use direct sip calls, blank out the option SIP ID in the extensions. In Version 9 only 2 direct sip calls simultaneously to the same extension are allowed so this risk is reduced. However if the attacker knows the SIP ID, and makes 1 call that is still considered a hack. So at least the attacker should try and guess the sip id. Do not leave the SIP ID the same as the extension number.
- 3CX Bridge and Tunnel connections – make sure these are configured correctly and that the authentication details match otherwise the IP’s will get blacklisted by each other and there will not be communications between remote 3CX Phone Systems.
- If we detect a source identification problem on an incoming call from a VoIP Provider, modify the template and investigate the problem because the VoIP Provider’s IP Address will get blacklisted.