• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Recent increase in failed authentications

Status
Not open for further replies.

Michael1600

Joined
Jun 23, 2017
Messages
26
Reaction score
1
There has been a marked up tick on attacks on my systems. Does any know what is going on?

"xxx.xxx.xx.xxx has been blacklisted for 3600 seconds. (Expires at: 2018/09/19 21:10:04).
Reason: Too many failed authentications! This IP Address has made numerous attempts to authenticate with 3CX with invalid authentication details. Therefore a blacklist rule has been created denying this IP to continue sending requests"

What is the best practice in terms of dealing with the specific IP address that come in. Should each one be permanently blacklisted?
 
There is no best approach. You do whatever you think is best for your environment. Do know that you aren't special and if you have 5060 open to the world on ANY IP PBX you will see attacks. But I can tell you that when only blocking for 3600 seconds you will see a lot of repeat offenders.
 
What is the best practice in terms of dealing with the specific IP address that come in. Should each one be permanently blacklisted?

This is what i do, you may choose to do things differently...

I set the blacklist time to 3 days.

I get an email every time there is a blacklist.

Every few days, I go on the blacklist and change any with a current year to 2050, as a standard expiry date makes it easy to scan the list looking for something different (a new entry).

As you begin to "accumulate" blacklisted IPs, you start to see patterns.

I then "widen the net", by changing the subnet to include more IPs in a similar range.


You can also employ a proper firewall to restrict access to select IPs, depending on your particular set up. Things such as remote extensions, especially ones NOT in a fixed location can complicate.
 
Similar to Leejor. If I see it, I change all of them to expire on date 01/01/3000. So I know it will NEVER be released except in about 1000 years in which I will be long gone. Also, again as Leejor stated, it is easy to see especially with all the consecutive zeros.

As for my firewall, I only allow traffic originating from our phone company's IP's on port 5060. I use Broadvoice in the US, who clearly indicate their two IP addresses they use, so it is a quick simple setting on the firewall. All other 5060 traffic is blocked by my firewall. With this setup I almost never get a blacklisted IP. If I do it is usually because I setup the firewall wrong at a remote site.

If people are using remote (remote sites using Bridges, iOS app, etc.) then they need to use the Tunnel (5090) connection. That is the only port I open to any IP address. And the Tunnel has its own password, different form the extension passwords, so (similar to a VPN connection with a shared secret AND a username/password) it is highly unlikely someone would be able to hack it. If you are worried about people attempting to hack on that port and want to use a non-standard port, you can change the tunnel port number during initial setup. But you can't change it after the fact.

Also, not to mention, IP blacklisting can also occur from people attempting to do Management or Webclient logins. So I also block ports 5000 and 5001 (the default http/https ports used by 3CX) on my firewall to only internal IP addresses. This means no person can log into the system to make changes remotely. But it also means no one can access/download call reports remotely (if you need that ability). Reports would only be accessible via the LAN IP address.
 
I set the number of failed authentications to 1 and the blacklist timer 99999999 seconds. After a while when I see patterns I do what leejor does and just start blocking out entire subnets.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Members Online Now

Forum statistics

Threads
141,405
Messages
747,496
Members
144,371
Latest member
NYCTECHZONE
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.