Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Anti-hacking Module / Blacklist Notifications / LOGS

Discussion in '3CX Phone System - General' started by Chris W., Mar 1, 2018.

Thread Status:
Not open for further replies.
  1. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    Hi there, I have installed 3cx on the unix distro, and I am quite happy about, but recently I am seeing some hacking attempts seems like

    The IP 195.154.42.164 has been blacklisted for 501 sec.
    The IP 195.154.42.164 has been blacklisted for 1001 sec.
    The IP 195.154.42.164 has been blacklisted for 1001 sec.
    Reason: Requests rate is too high!

    those messages keep coming very frequently overnight

    so I have question:
    1) how do you permanently ban IP in 3cx?
    2) how to extend that random blacklist time to have something longer than what it seems to be it?
    3) is there any way to enable UNIX logs to log those IP requests/blacklists? If I had it somewhere logged I can use fail2ban or other scripts/tools to automatically block those IP's in iptables but not sure how to get to those blacklisted IP's from the unix level.

    Regards,

    Chris

    PS: I did block that IP this morning in iptables, but I need to figure a way how to automatically add it to iptables, please help me find the way to get such IP's from unix shell, best if I can enable unix loging for it like syslog etc.
     
  2. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    893
    Likes Received:
    154
    On the 3CX web console home page, the big blue button labeled "IP Blacklist"
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    Sorry, yes, I know about this, but its manual process, I would like automate this as this happen over night and there were quite attempts for it. I like to set it up so maybe at least on the unix level I can see the logs and put such offending IP addresses in iptable so that I don't have to worry. I don't want to take any chances or risks, if I am on vacation, or over night I don't want hackers to just have a way to keep trying.

    I also see there is 501 ad 1001 seconds in my emails for the automatic blacklist that 3cx is imposing.
    I have 1000 in field of "Failed Challenge Requests (407)"
    so that would probably be the 1001 second ban, but where is the 501 coming from?

    my other values are:
    Blacklist time interval ==> 86400
    Security Barrier (Green) ==> 200
    Security Barrier (Amber) ==> 2000
    Security Barrier (Red) ==> 4000
    so not sure where 501 second ban comes from
    The IP 195.154.42.164 has been blacklisted for 501 sec.
     
  4. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    anyway following the guide on this url and trying to increase the security as its specifies. in the slideshow, hope it will help

    https://www.3cx.com/3cxacademy/videos/advanced/security-with-3cx-phone-system/

    I did notice there is postgres DB where I would imagine 3cx is storing all the logs and data, wonder if I can write small script to look at those IP failed attempts and pass it to the iptables to block those IP's on the unix side for the whole system rather than just ban it temporarily. Wish there was a syslog functionality build in where I can log all those attempts straight to syslog...
     
  5. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    so yeah all the info is in the DB :)
    I think I will be able to do something about it and add the IP from event log to iptables, probably will need to run it from a crontab and block such IP for the whole system... :) will post/update on the progress if anyone else would like to do similar system level blocking via IPtables rather than just have temporary ban. That IP seems to be coming from well known location for hackers, so I certainly don't need such on my system.

    database_single=# select * from blacklist

    database_single-# ;

    idblacklist | ipaddr | ipmask | description | expiresat | blocktype

    -------------+----------------+-----------------+--------------------------------------------------+-------------+-----------

    113 | 195.154.42.164 | 255.255.255.255 | PBX: blocked for too many failed authentications | 13164470456 | 0

    7 | 192.168.1.0 | 255.255.255.0 | Private Network | 13790548832 | 1

    8 | 192.168.2.0 | 255.255.255.0 | Private Network | 13790548855 | 1

    20 | 185.107.83.35 | 255.255.255.255 | weird ip, spanning alarms | 13792930470 | 0

    (8 rows)


    database_single=# select * from eventlog;

    ideventlog | entrytype | source | eventid | timegenerated | params | tag

    ------------+-----------+----------------------------+---------+------------------------+---------------------------------------------------------------------------------+-----

    904 | 4 | Event Notification Manager | 10025 | 2018-02-26 05:05:33+00 | {""} |

    905 | 1 | SIP Server/Call Manager | 12290 | 2018-02-28 03:52:14+00 | {195.154.42.164,86400,"2018/02/28 22:52:14","Too many failed authentications!"} |

    906 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 01:03:29+00 | {162.245.236.26,20} |

    907 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 03:52:24+00 | {195.154.42.164,1001} |

    908 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:10:15+00 | {195.154.42.164,1001} |

    909 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:28:03+00 | {195.154.42.164,1001} |

    910 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 04:46:02+00 | {195.154.42.164,1001} |

    911 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:03:53+00 | {195.154.42.164,1001} |

    912 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:22:03+00 | {195.154.42.164,1001} |

    913 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 05:43:55+00 | {195.154.42.164,1001} |

    914 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:00:54+00 | {195.154.42.164,1001} |

    915 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:17:41+00 | {195.154.42.164,501} |

    916 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:27:42+00 | {195.154.42.164,1001} |

    917 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 06:51:02+00 | {195.154.42.164,1001} |

    918 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:07:46+00 | {195.154.42.164,1001} |

    919 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:27:41+00 | {195.154.42.164,501} |

    920 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:37:31+00 | {195.154.42.164,501} |

    921 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 07:47:29+00 | {195.154.42.164,1001} |

    922 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:07:25+00 | {195.154.42.164,1001} |

    923 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:43:27+00 | {195.154.42.164,501} |

    924 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 08:53:28+00 | {195.154.42.164,1001} |

    925 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:13:23+00 | {195.154.42.164,1001} |

    926 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:36:25+00 | {195.154.42.164,501} |

    927 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:46:22+00 | {195.154.42.164,19} |

    928 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 09:49:42+00 | {195.154.42.164,1001} |

    929 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:09:43+00 | {195.154.42.164,1001} |

    930 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:36:10+00 | {195.154.42.164,501} |

    931 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 10:46:03+00 | {195.154.42.164,1001} |

    932 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:08:24+00 | {195.154.42.164,501} |

    933 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:18:15+00 | {195.154.42.164,501} |

    934 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:34:47+00 | {195.154.42.164,1001} |

    935 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 11:54:58+00 | {195.154.42.164,1001} |

    936 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 12:14:45+00 | {195.154.42.164,501} |

    937 | 1 | SIP Server/Call Manager | 12292 | 2018-03-01 12:31:22+00 | {195.154.42.164,1001} |

    938 | 1 | SIP Server/Call Manager | 12290 | 2018-03-01 13:20:56+00 | {195.154.42.164,86400,"2018/03/02 08:20:56","Too many failed authentications!"} |

    (35 rows)


    database_single=#
     
  6. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    from root I can access that event log via sudo:

    sudo -u phonesystem -H -- psql -d database_single -c "SELECT * FROM eventlog"

    your system hope is the same:
    phonesystem <= user
    database_single <= database
    eventlog <= table
     
  7. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    wrote a little bash script that I am running in my cron, after 3cx bans the IP this script takes it from db eventlog and then adds it to iptable to drop all connections for that IP to the server. Use it if you like, use it at your own risk :)
     

    Attached Files:

    DSXDATA likes this.
  8. Buya

    Joined:
    Mar 6, 2018
    Messages:
    13
    Likes Received:
    1
    #8 Buya, Mar 6, 2018
    Last edited: Mar 8, 2018
  9. Chris W.

    Joined:
    Dec 28, 2017
    Messages:
    24
    Likes Received:
    2
    Yeah, or syslog where messages could be redirected to. But its not from what I see and the only way I could see it was in the DB. I just did not what IPs on my system which are hacking or trying to break in, thats wht for me it was easiest to access that db, pull the info and put that ip to iptable entry to ban it from my system not only for those sip ports but from accessing any ports which might or might not be monitored. But yes, fail2ban would be awesome to use for such.
     
Thread Status:
Not open for further replies.