• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Anti-hacking Module / Blacklist Notifications / LOGS

Status
Not open for further replies.

Chris W.

Free User
Joined
Dec 28, 2017
Messages
26
Reaction score
3
Hi there, I have installed 3cx on the unix distro, and I am quite happy about, but recently I am seeing some hacking attempts seems like

The IP 195.154.42.164 has been blacklisted for 501 sec.
The IP 195.154.42.164 has been blacklisted for 1001 sec.
The IP 195.154.42.164 has been blacklisted for 1001 sec.
Reason: Requests rate is too high!

those messages keep coming very frequently overnight

so I have question:
1) how do you permanently ban IP in 3cx?
2) how to extend that random blacklist time to have something longer than what it seems to be it?
3) is there any way to enable UNIX logs to log those IP requests/blacklists? If I had it somewhere logged I can use fail2ban or other scripts/tools to automatically block those IP's in iptables but not sure how to get to those blacklisted IP's from the unix level.

Regards,

Chris

PS: I did block that IP this morning in iptables, but I need to figure a way how to automatically add it to iptables, please help me find the way to get such IP's from unix shell, best if I can enable unix loging for it like syslog etc.
 
On the 3CX web console home page, the big blue button labeled "IP Blacklist"
 
On the 3CX web console home page, the big blue button labeled "IP Blacklist"
Sorry, yes, I know about this, but its manual process, I would like automate this as this happen over night and there were quite attempts for it. I like to set it up so maybe at least on the unix level I can see the logs and put such offending IP addresses in iptable so that I don't have to worry. I don't want to take any chances or risks, if I am on vacation, or over night I don't want hackers to just have a way to keep trying.

I also see there is 501 ad 1001 seconds in my emails for the automatic blacklist that 3cx is imposing.
I have 1000 in field of "Failed Challenge Requests (407)"
so that would probably be the 1001 second ban, but where is the 501 coming from?

my other values are:
Blacklist time interval ==> 86400
Security Barrier (Green) ==> 200
Security Barrier (Amber) ==> 2000
Security Barrier (Red) ==> 4000
so not sure where 501 second ban comes from
The IP 195.154.42.164 has been blacklisted for 501 sec.
 
anyway following the guide on this url and trying to increase the security as its specifies. in the slideshow, hope it will help

https://www.3cx.com/3cxacademy/videos/advanced/security-with-3cx-phone-system/

I did notice there is postgres DB where I would imagine 3cx is storing all the logs and data, wonder if I can write small script to look at those IP failed attempts and pass it to the iptables to block those IP's on the unix side for the whole system rather than just ban it temporarily. Wish there was a syslog functionality build in where I can log all those attempts straight to syslog...
 
so yeah all the info is in the DB :)
I think I will be able to do something about it and add the IP from event log to iptables, probably will need to run it from a crontab and block such IP for the whole system... :) will post/update on the progress if anyone else would like to do similar system level blocking via IPtables rather than just have temporary ban. That IP seems to be coming from well known location for hackers, so I certainly don't need such on my system.

database_single=# select * from blacklist

database_single-# ;

idblacklist | ipaddr | ipmask | description | expiresat | blocktype

-------------+----------------+-----------------+--------------------------------------------------+-------------+-----------

113 | 195.154.42.164 | 255.255.255.255 | PBX: blocked for too many failed authentications | 13164470456 | 0

7 | 192.168.1.0 | 255.255.255.0 | Private Network | 13790548832 | 1

8 | 192.168.2.0 | 255.255.255.0 | Private Network | 13790548855 | 1

20 | 185.107.83.35 | 255.255.255.255 | weird ip, spanning alarms | 13792930470 | 0

(8 rows)


database_single=# select * from eventlog;

ideventlog | entrytype | source | eventid | timegenerated | params | tag

------------+-----------+----------------------------+---------+------------------------+---------------------------------------------------------------------------------+-----

904 | 4 | Event Notification Manager | 10025 | 2018-02-26 05:05:33+00 | {""} |

905 | 1 | SIP Server/Call Manager | 12290 | 2018-02-28 03:52:14+00 | {195.154.42.164,86400,"2018/02/28 22:52:14","Too many failed authentications!"} |

906 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 01:03:29+00 | {162.245.236.26,20} |

907 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 03:52:24+00 | {195.154.42.164,1001} |

908 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:10:15+00 | {195.154.42.164,1001} |

909 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:28:03+00 | {195.154.42.164,1001} |

910 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:46:02+00 | {195.154.42.164,1001} |

911 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:03:53+00 | {195.154.42.164,1001} |

912 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:22:03+00 | {195.154.42.164,1001} |

913 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:43:55+00 | {195.154.42.164,1001} |

914 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:00:54+00 | {195.154.42.164,1001} |

915 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:17:41+00 | {195.154.42.164,501} |

916 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:27:42+00 | {195.154.42.164,1001} |

917 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:51:02+00 | {195.154.42.164,1001} |

918 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:07:46+00 | {195.154.42.164,1001} |

919 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:27:41+00 | {195.154.42.164,501} |

920 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:37:31+00 | {195.154.42.164,501} |

921 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:47:29+00 | {195.154.42.164,1001} |

922 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:07:25+00 | {195.154.42.164,1001} |

923 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:43:27+00 | {195.154.42.164,501} |

924 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:53:28+00 | {195.154.42.164,1001} |

925 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:13:23+00 | {195.154.42.164,1001} |

926 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:36:25+00 | {195.154.42.164,501} |

927 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:46:22+00 | {195.154.42.164,19} |

928 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:49:42+00 | {195.154.42.164,1001} |

929 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:09:43+00 | {195.154.42.164,1001} |

930 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:36:10+00 | {195.154.42.164,501} |

931 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:46:03+00 | {195.154.42.164,1001} |

932 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:08:24+00 | {195.154.42.164,501} |

933 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:18:15+00 | {195.154.42.164,501} |

934 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:34:47+00 | {195.154.42.164,1001} |

935 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:54:58+00 | {195.154.42.164,1001} |

936 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 12:14:45+00 | {195.154.42.164,501} |

937 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 12:31:22+00 | {195.154.42.164,1001} |

938 | 1 | SIP Server/Call Manager | 12290 | 2018-03-01 13:20:56+00 | {195.154.42.164,86400,"2018/03/02 08:20:56","Too many failed authentications!"} |

(35 rows)


database_single=#
 
from root I can access that event log via sudo:

sudo -u phonesystem -H -- psql -d database_single -c "SELECT * FROM eventlog"

your system hope is the same:
phonesystem <= user
database_single <= database
eventlog <= table
 
wrote a little bash script that I am running in my cron, after 3cx bans the IP this script takes it from db eventlog and then adds it to iptable to drop all connections for that IP to the server. Use it if you like, use it at your own risk :)
 

Attachments

  • 3cx_postgress_to_IPTable_BAN.txt
    1.1 KB · Views: 41
Last edited:
Would be really nice if this information could be available in a plain text logfile, we would be able to automatically ban using Fail2ban.
See my feature request related to this : Plain text log file with failed login attempts.

Yeah, or syslog where messages could be redirected to. But its not from what I see and the only way I could see it was in the DB. I just did not what IPs on my system which are hacking or trying to break in, thats wht for me it was easiest to access that db, pull the info and put that ip to iptable entry to ban it from my system not only for those sip ports but from accessing any ports which might or might not be monitored. But yes, fail2ban would be awesome to use for such.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,626
Messages
748,902
Members
144,739
Latest member
Ghisl1
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.