- Joined
- Sep 16, 2007
- Messages
- 340
- Reaction score
- 90
Running 3CX Professional 15.5.13103.5
(so are all other instances mentioned in this post)
Within 24 hours, all of my google cloud hosted 3CX installations and local 3CX installations have had a server manager failure. Outbound calls were working fine, but all inbound calls received a busy signal.
A reboot of each of the servers has corrected the issue, and a review of the activity logs has shown a massive spike in entries that look like this:
X.X.X.X is the "offending" IP address
YYYY is the port that the offending IP address is using
Z.Z.Z.Z is the IP address of the 3CX server
You can replace the X.X.X.X and YYYY with multiple sources and ports. There are quite literally dozens of attempts every hour.
I've had a field day adding complete ranges to the IP blacklist to reduce the number of attacks as these don't seem to trigger auto-blocking. Or if they do, it's a rare instance in comparison to the number of activity log entries.
(so are all other instances mentioned in this post)
Within 24 hours, all of my google cloud hosted 3CX installations and local 3CX installations have had a server manager failure. Outbound calls were working fine, but all inbound calls received a busy signal.
A reboot of each of the servers has corrected the issue, and a review of the activity logs has shown a massive spike in entries that look like this:
Code:
08/12/2018 8:35:06 AM - [CM102001]: Authentication failed for AuthFail Recv Req REGISTER from X.X.X.X:YYYY tid=547fa98f-f3e6-4677-a76f-a6f5fd16b345 Call-ID=hwpoycmaaybrrcpdvfxpblyvrywoaomceddtytacpooyemhxjb:
REGISTER sip:Z.Z.Z.Z SIP/2.0
Via: SIP/2.0/UDP X.X.X.X:YYYY;branch=z9hG4bK547fa98f-f3e6-4677-a76f-a6f5fd16b345;rport=YYYY
Max-Forwards: 70
Contact: <sip:[email protected]:YYYY;rinstance=8ecd086809658d41>
To: "5216"<sip:[email protected]>
From: "5216"<sip:[email protected]>;tag=ltkqsuxt
Call-ID: hwpoycmaaybrrcpdvfxpblyvrywoaomceddtytacpooyemhxjb
CSeq: 2 REGISTER
Expires: 3600
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, SUBSCRIBE, NOTIFY, REFER, INFO, MESSAGE
Proxy-Authorization: Digest username="5216",realm="3CXPhoneSystem",nonce="414d53595b70378933:706cb4cc51e959f334362e708d629d1a",response="abfc9f09f6efc6940709399a39d93786",uri="sip:Z.Z.Z.Z",algorithm=MD5
Supported: 100rel
User-Agent: 3CXPhoneSystem
Content-Length: 0
; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
X.X.X.X is the "offending" IP address
YYYY is the port that the offending IP address is using
Z.Z.Z.Z is the IP address of the 3CX server
You can replace the X.X.X.X and YYYY with multiple sources and ports. There are quite literally dozens of attempts every hour.
I've had a field day adding complete ranges to the IP blacklist to reduce the number of attacks as these don't seem to trigger auto-blocking. Or if they do, it's a rare instance in comparison to the number of activity log entries.