are you seeing a lot of hacking?

Discussion in '3CX Phone System - General' started by mylove4life, Nov 2, 2011.

Thread Status:
Not open for further replies.
  1. mylove4life

    mylove4life New Member

    Joined:
    Jan 7, 2010
    Messages:
    165
    Likes Received:
    0
    Hi all, the last couple of days I have been seeing alot of of people trying to get into the system. Anyone else seeing a lot of hackers?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,842
    Likes Received:
    298
    Yup, every few days or more...it seems to be the new pastime.
     
  3. pat

    pat

    Joined:
    Feb 12, 2008
    Messages:
    34
    Likes Received:
    0
    for me too. i have change the standard sip port....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. willow

    willow Member

    Joined:
    Mar 1, 2011
    Messages:
    471
    Likes Received:
    0
    More and more everyday.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    this is helping for short time
    hackers are scanning all ports and will discover quite soon your new SIP port

    regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. pat

    pat

    Joined:
    Feb 12, 2008
    Messages:
    34
    Likes Received:
    0
    But they don't know for the first test is it SIP or not.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    Yep, massive increase gone from maybe once every two weeks to once every two days!
     
  8. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Find and read a book called "Hacked Exposed VoIP", unfortunately I can't quote the names of the authors. You will understand lots for new tactics of hackers. Finding a non-standard port is simply easy -- first scanning for open ports and then sending a SIP invite message to all of them, usually takes a week your new port to be discovered. This 'trick' was helpful until 2008. Nowadays the attacks are well organized, distributed and difficult to detect.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    until 2008, this "trick" (changing the default SIP port), which protected PBX, was at the same level as a "guess" that user/authuser/password are the same.
    Attacks are not well organized (I may be wrong). They are trying to investigate how it is possible to organize DOS kind of attack and associate them to SIP ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Until 2008 practically there were no attacks against IP PBXs. Later they started coming mainly from China and second from USA (according geolocation of IP address). I was installing at that time mainly Panasonic IP PBXs for my customers. The number of attacks raised in time, coming to 2-3 per day. Panasonic has one "nice" bug -- under brute-force attack it blocks, until manually restarted (which in fact protected it and also made clear there was an attack attempt). Later I started changing the port (from 5060 to 5065 or later bigger) -- this was helpful for a while, in the beginning for 3 months, in 2010 - less than a week (Panasonic uses different ports for SIP trunks, default - 35060 and for SIP extensions - 5060). I have similar experience with Siemens HiPath and other brands. Currently I see reported many successful attacks against Asterisk implementations.

    So my opinion now is changing the SIP port to non-standard one will protect you for a while and makes no sense. Current hacker attacks scan all ports for SIP responses using bots (infected computers) from many different IP addresses. Later other computers are trying to hack passwords, etc., so everything looks pretty normal as IP traffic and not causing alerts.

    In all cases installers / users should take special care about network security, otherwise successful attack may cause them thousand of dollars (euro). 3CX Version 10 seems well protected against current threats (hopefully). I'm monitoring permanently the several installations I have already.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. A.burton

    Joined:
    Oct 1, 2011
    Messages:
    17
    Likes Received:
    0
    After reading this thread a few days ago, I checked my logs and was alarmed by the number of attempts at hacking the system. Mostly at night, many Russian and Spain IP's - though these could just be from infected computers (bots) Some nights there are 5 hits. The only thing stopping the attempts is the security within 3cx. So far so good..

    I was quite concerned so I have taken some drastic measures.
    1. Have de registered all external extensions.
    2. All extensions marked as unable to register outside of lan
    3. 3cx iphone extensions not available until tunnel version available - HURRY UP APPLE
    4. I have closed as many non native IP's (outside my country) on most ports except 80 and a few others. SIP ports set to drop from non naitive IP's.
    5. I am checking the logs daily to see what is happening.
    6. No easy passwords anywhere.


    Two of my external extensions are from fixed locations. I am certainly going to obtain a fixed IP for them so I can add them into my firewall. The new 3cx iphone app with tunnel will certainly help also.

    I wonder is there anything else I could do?
     
  12. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    This looks enough good as precaution.
    If you can create an access list with trusted IPs in your router / firewall and drop the rest of the traffic will be also very good as approach.

    Further risks may come from infected computers (bots) inside your network, still 3cx system should be able to guard itself. Very serious alert is to see internal IP address been blocked by 3CX. I recommend using antivirus tools and running regular scans in your intranet.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. SY

    SY Well-Known Member
    3CX Support

    Joined:
    Jan 26, 2007
    Messages:
    1,825
    Likes Received:
    2
    Do you mean that 3CX PhoneSystem does not report this kind of the latent activity?
    It is possible to deliver information even about it. If you have environment where it can be tested then please contact 3CX support team.

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. eagle2

    eagle2 Well-Known Member

    Joined:
    Apr 27, 2011
    Messages:
    1,085
    Likes Received:
    11
    Hi Stepan,

    I think 3CX is doing the best job possible. I don't know other IP PBX protecting itself better (this includes Panasonic, Avaya, Aastra, Siemens, Cisco, Asterisk). However installer / user still should pay attention to network security.

    Regards
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. michielpeeters

    Joined:
    Nov 17, 2008
    Messages:
    19
    Likes Received:
    5
    We had a few customers with hacking problems, the new 3cx anti-hacking module in the newer versions is great. Luckily almost all customers have a advanced firewall, i only open the 5060 for our voipprovider, this works great.
     
  16. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    SOme advise please.

    The hacking has got to such a level that it is actually preventing 3cx from working even though they have not actually compromised security (they are taking all available bandwidth)

    Earlier in this thread someone mention that in their firewall they were only opening 5060 up to known IP address. This sounds like a perfect solution to my problem.

    Trouble is that I don't know how to configure my router to do this. It's a draytek vigor 2820.

    Can anyone advise please?

    Many thanks in advance
    Iain
     
  17. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    803
    Likes Received:
    45
    Hi Iain,

    There are two options:
    I can point you the “Filter Setup” page 78 of the manual and say “Good luck!”
    or
    You sent me a PM with some private info and remote access inlog code and I will setup the router for you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    Hi Frank,

    Thanks a kind offer, but I'm sure you realise that I can't allow anyone access to my router :)

    Page 78 is all about the open ports which are already configured anyway.

    What I think I need to do is make sure that only packets from approved IP's are routed though to this port. It looks like the firewall is the place to be, however, I don;t know if open ports avoid the firewall and therefore have to be switch off and a firewall entry made.

    Advise gratefully received.

    Iain
     
  19. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    803
    Likes Received:
    45
    Hi Iain,

    Sorry, I was using a very outdated user guide. UG v3.3 on Page 94 describes how to setup a filter.

    1. select Filter set 2 “Default Data Filter”, change “Next Filter Set” to “Set#7”
    2. select Filter Set 7, page 95 will give an explanation of the settings

    Now we have to create at least two rules, the first which blocks all incoming traffic from port 5060, the second and so one which allows traffic from your VoIP provider(s).

    Select Filter rule 1
    Enable the filter rule
    Name this rule “Block 5050” or something
    Set Direction to WAN -> LAN
    Set Source IP to “Any”
    Set Destination IP to “Any”
    Set Service Type to TCP/UDP, Port from any to 5060
    Set Fragments to “Don’t Care”
    Set Filter to “Block if No Further Match”
    Set Branch to … to “None”

    Select Filter rule 2
    Enable the filter rule
    Name this rule “Pass VoIP Provider” or something
    Set Direction to WAN -> LAN
    Set Source IP to IP-address of your VoIP provider
    Set Destination IP to “Any”
    Set Service Type to TCP/UDP, Port from any to 5060
    Set Fragments to “Don’t Care”
    Set Filter to “Pass Immediately”
    Set Branch to … is greyed out

    This should do the trick.
    So, Good luck and let me know the results.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    Hi Frank,

    Thanks for the help, yes very useful and now that I've set it on my router, 3CX seems to be working OK :)

    A couple of quick questions though.

    Firstly:
    I notice that you set the block if no further match, then the pass immediately. More curiosity, but in filter set 1, could I I do the pass immediately (for the given IPs) and then in filter set 2, a block immediately. In theory I think it should work, but there may be good reasons why it should be set to block if no further match and then a pass...

    Secondly:
    My SIP provider predictably uses a range of IP's, so I set up an IP object for each range (there are five ranges of IP's they've given me) and then group them together with an IP group, if I use the IP group on the allow filter rule, will it work?

    Thanks in advance.
    Iain
     
Thread Status:
Not open for further replies.