3CX and security against DoS attacks/trojans etc

[h2009]

Hi there,

One of my 3CX systems has recently failed, due to hackers/probes/etc - It seems the system has become overwhelmed by attacks from the internet, and its now 'failed'. My previously working setup is broken, for no real reason other than potential attacks from the internet.

Typically my setups consist of Router > switch > 3CX & rest of network - with the router using its inbuilt firewall and port forward to the 3CX server.

Is there anyway to prevent these attacks from happening or how have you design security around this?

Also I'm now questioning a system like GXE5024, which is a PBX only (no windows) so I'm thinking this would be much more secure?

Any input would be great.

Thanks.

 

[SY]

If 3CX PBX is a guilty then it should provide a lot of information in the logs.
Could you please send us the "posthumous edition" of full set of PBX logs (including backups) and specify version of 3CX PBX (as well as windows environment) you used until this accident?

Thanks

 

[h2009]

Thats just it, I dont think 3CX caused the issue at all, its rather a victim of random cyber attacks - the attacks all seemed to be random.

I would just like to hear how other users get around this issue.

 

[bblokey]

Your 3cx box if setup correctly should be fine. That includes it not being exposed directly to the Internet. Also, is your firewall hardware or software based? What we do is that our router is not allowed to respond to ICMP traffic and if the traffic is consistent then the ip will be blocked for an indefinite amount of time. Another suggestion is to change your traffic ports to something that is non-standard. This keeps the most obvious ports from being used.

 

[SY]

Thats just it, I dont think 3CX caused the issue at all, its rather a victim of random cyber attacks - the attacks all seemed to be random.

I would just like to hear how other users get around this issue.

I need to ask for PBX logs and additional information again. Even if "cyber attacks" were random the backup should contain "spots".

Thanks for your cooperation

 

[h2009]

Ok thats no problem - I'll post them up here soon as I get back to the office - as the whole server is down, so I can't get in remotely anymore.

 

[SY]

Ok thats no problem - I'll post them up here soon as I get back to the office - as the whole server is down, so I can't get in remotely anymore.

Ok... I hope you will not forget to publish results of your investigation

Thanks

 

[Nick Galea]

DOS attacks have ABSOLUTELY nothing to do with Windows. In fact Windows is quite secure out of the box. A PBX which runs on some linux version that you are not familiar with and you are not sure whether it has been updated against the latest threats is MUCH more insecure. You must consider attacks at application level, these are the most effective. For example a web interface using PHP (we do not use PHP) that has not been properly coded and is attacked and allows access to the admin system. (nothing against PHP here but just giving an example)

A network level, you can protect yourself using the firewall as bblokey said. But again this has nothing to do with 3CX and will be independent whatever IP PBX you use.

 

[h2009]

Like I said I don't for a second think its anything to do with 3CX. Its 100% a windows issue / firewall issue. So I was just wondering what kind of setup people were running to protect against these types of things happening. The reason why I ask was to see if its worth investing in some kind of firewall box to put in my rack system.

And I was curious as to what level of protection other PBX (or OS's) offer since I've only ever used 3CX.

SY I've sent you a zip file of the logs for you to review. I'll be reformatting the system now and starting from scratch.

 

[SY]

Like I said I don't for a second think its anything to do with 3CX. Its 100% a windows issue / firewall issue. So I was just wondering what kind of setup people were running to protect against these types of things happening. The reason why I ask was to see if its worth investing in some kind of firewall box to put in my rack system.

And I was curious as to what level of protection other PBX (or OS's) offer since I've only ever used 3CX.

SY I've sent you a zip file of the logs for you to review. I'll be reformatting the system now and starting from scratch.

Thanks a lot for the information. I will answer you tomorrow.
If I understand (please correct me if I'm wrong) the issue is the "I hate windows on my server", isn't it?
Could you please comment following articles:
http://news.cnet.com/8301-1009_3-10354540-83.html
http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patches_for_you_XP

It is a kind of "unverified" information, but I don't think you don't trust these sources.

Could you please specify the benefits to use GXE5024?

Thanks
P.S. there is additional url "http://www.itworld.com/security/77499/first-linux-botnet"

 

[h2009]

I dont really know what you looking for me to say? I dont like windows, i don't hide that fact. I use OSX where ever I possibility can. I gave up on windows (mainly due to BSOD) and I can honestly say that I have never had any issues with OSX. I would love it if 3CX became native to OSX as I'm sure there is many benefits to be gained from it, but I'm not expecting it to happen any time soon.

All i'm asking the questions to is how do users security there 3CX servers/environments. And like I keep saying there is nothing wrong with 3CX at all, its what got me started in VOIP in the first place, and I will always use it for PBX. I would simply like to know the difference between 3CX and GXE502X in terms of security as from the surface of it, it does seem more secure.

I dont know if thats right or wrong, that is why I'm asking - and Google doesn't have the answer to this question yet (until someone can explain why and it get picked up by the bots).

 

[SY]

I dont really know what you looking for me to say? I dont like windows, i don't hide that fact. I use OSX where ever I possibility can. I gave up on windows (mainly due to BSOD) and I can honestly say that I have never had any issues with OSX. I would love it if 3CX became native to OSX as I'm sure there is many benefits to be gained from it, but I'm not expecting it to happen any time soon.

All i'm asking the questions to is how do users security there 3CX servers/environments. And like I keep saying there is nothing wrong with 3CX at all, its what got me started in VOIP in the first place, and I will always use it for PBX. I would simply like to know the difference between 3CX and GXE502X in terms of security as from the surface of it, it does seem more secure.

I dont know if thats right or wrong, that is why I'm asking - and Google doesn't have the answer to this question yet (until someone can explain why and it get picked up by the bots).

Please answer my PM.
the theme of discussion is "3CX and security against DoS attacks/trojans etc"
I cannot understand how to correlate the "I keep saying there is nothing wrong with 3CX at all" with the headline of this topic...
Sorry, I'm, slightly, confused...

Thanks

 

[h2009]

Yes is just a title - I don't believe its been covered before. I have never said anything bad about 3CX and I wouldn't so again I don't know what your trying to get at? I'm simply looking for an answer and how its affects security - what ever answer that maybe. And the same goes on how it compares to other PBX's. Which I think would be useful to know and a good selling point.

All my 3CX installations have 3CX on them only - so I call them '3CX systems' - but given that this server has become a victim of attacks from the internet, I would like more details on how other people protect the environment.

So can you answer that question? And the ones on how its compares to other PBX's?

 

[SY]

Yes is just a title - I don't believe its been covered before. I have never said anything bad about 3CX and I wouldn't so again I don't know what your trying to get at? I'm simply looking for an answer and how its affects security - what ever answer that maybe. And the same goes on how it compares to other PBX's. Which I think would be useful to know and a good selling point.

All my 3CX installations have 3CX on them only - so I call them '3CX systems' - but given that this server has become a victim of attacks from the internet, I would like more details on how other people protect the environment.

So can you answer that question? And the ones on how its compares to other PBX's?

We should find an answer to the question "what is the reasons of this situation?"
Windows? I don't think it is the reason. 3CX PBX? As developer of this product I can't believe it .
Please send me information directly on my mail. (see my PM)

Basically, It is a support case. If you have such kind of problems then you should contact support team.

Thanks

 

[tpinnovations]

If you have the proper front end protection this should be a non-issue. Looking at our logs, I see thousands of bot hits a day, many try to guess SIP auth ids and passwords. Having a secure password scheme, not using 2 or 3 digit extensions, and shutting down services in 3CX that are not in use like the conference server are your best bet for defense. There are certainly some firewall products out there which can aid in these problems, but they come with a heavy price. In particular the Sonicwall and Watchguard appliances.

Something I was taught in the web hosting industry is you are never attacked with out reason. Some times its an exploit, sometimes your computer has been compromised (And could be seeding Shrek 4 six weeks before its due in theaters), other times it is a misconfigured server. Sometimes companies play dirty, and they pay foreign agencies to bring down a system or break in and seek out proprietary information. And every once in awhile you end up on the cover of Slashdot or Digg and find your server smoldering in its rack.


If your having DDOS issues, then you need to do the following:

Get a good front end router, one with DDOS and Packet level inspection.
Request new IP's from your ISP, Check to make sure these are not BOGON IPs or blacklisted. Bogon IP's are fresh IP's, and these are sometimes used as spoofed IP's. Blacklisted IP's can also cause problems to because hackers/ people with malicious intent previously owned them. These are both a big no no.
Use secure passwords, Apply the latest patch's for both the OS, and the application.
Review logs at least once a week, and setup traps/trip wires to detect anything abnormal.
Abnormal server bandwidth is a telltale sign that something may be up on your box.


You speak about going to a proprietary PBX, but often times those vendors are slower to patch there system software. I had a Nortel BCM400 get compromised 4 times before Nortel released a service bulletin or a fix. At $1,500 it really put a dent in my IT budget.