Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Blacklist enhancements

Discussion in 'Ideas' started by OUTsider, Sep 18, 2018.

Blacklist enhancements 5 5 2votes
5/5, 2 votes

  1. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    I manage several instances of 3CX, and I constantly see tons of authentication failures from scans, what I currently do is manually add the IP's from the several installations into a global blacklist. But the issue is, I cannot reuse that information, nor could others.

    So my suggestion is to add support for dnsbl, meaning every connect from non-reserved ip space would be checked against <reverseip>.<listname> through dns, if that request returns a reply in the 127.0.0.0/8 range, it would deny the connection attempt. (See RFC5782)

    Another suggestion for Blacklist would be the ability to export the data.

    To complete the blacklist enhancements I have in mind, perhaps 3CX itself wants to run a dnsbl, giving users the ability to optionally submit detected hack attempts to 3CX, if multiple instances report the same ip as bad (score based in order to prevent abuse of the system), other connected instances would also block attempts from these IP's.
     
    Kongo likes this.
  2. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    I currently 'solved' this by constructing a mailparser that looks through my mails and parses the blacklisting IP messages, adding them to my dnsbl. Still this would not enable me to protect other instances, unless I distribute and inject them directly into the postgresql database.
     
  3. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    893
    Likes Received:
    154
    You can add to your blacklist using the Call Control API
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    Lemme guess, one of your addons which I do not even see on your site which will cost money? Or something that requires you to use a PRO or ENTERPRISE license?

    Furthermore, you probably did not read this thread correctly, it is about implementing DNSBL, as in, ppl could provide a host 3CX could check against using <reversed ip>.<dnsbl list> to see if the connecting IP is known as abusive and deny connections before it is even able to make attempts to hack account data using bruteforce.

    It is NOT about adding to the blacklist itself automatically, that would just be a WORKAROUND until such a feature arrives in 3CX.

    I want to enhance the security of my PBX which is something that should be in the CORE of the programm and is very easy to implement.

    Every common mailserver for example has such a feature. And this is a community, and we probably want to protect our PBX's as such a community. So please, do not abuse threads like these to spam for yet another commercial product, thank you.
     
    #4 OUTsider, Nov 9, 2018
    Last edited: Nov 9, 2018
  5. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    893
    Likes Received:
    154
    I didn't mention any of our tools, and to be very clear, we don't have a tool for this. Rather, I was responding to this specific comment:

    "this would not enable me to protect other instances, unless I distribute and inject them directly into the postgresql database."

    You know that 3CX would instantly flag your PBX as unsupported if they discovered you were manipulating the PostgreSQL database directly. So I was offering a solution YOU could take to achieve this using the Call Control API which is a supported approach.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    In that case my excuses.

    About the Call API: Only available for wintendo, and only available for 'commercial versions', and only available for localhost connectivity, which makes this kinda completly useless. And it would still not solve, what I'd actually would like to achieve with this thread. Which is, having a functionality that would check any connection attempt against a dnsbl blacklist.
     
  7. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    893
    Likes Received:
    154
    You may be partially correct, but I'm not absolutely sure since I have not tested on the free version of 3CX. I can confirm, however, that the Call Control API works perfectly on both Windows and Linux, and I suspect it will also work on the free version. Why? Because 3CX uses the same Call Control API for their own purposes so they have dependencies on the API... and that includes the free version.

    You also make a valid argument that the Call Control API only responds to localhost, but this too can be overcome by proxying the requests. It all depends on how much you want to invest in a solution. All our applications are installed on a separate server, but they remotely call the Call Control API. You can do it. We do it every day.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
  9. Mark Perrin

    Joined:
    Oct 30, 2018
    Messages:
    18
    Likes Received:
    3
    How would you do this on Cloud PBX? interested in anything to make things more secure.
     
  10. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    you can't, your cloud provider would need to do that as you don't have access to the resources hosting your pbx.
     
  11. Marari

    Marari New Member

    Joined:
    Sep 16, 2007
    Messages:
    207
    Likes Received:
    47
    @Mark Perrin

    You can edit your firewall rules for your cloud instance to allow only the VOIP provider(s) and remote sites to access port 5060/5061. That will stop a lot of the scriptkiddie portscan/bruteforce attacks (I've not had one since I implemented this).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    @Marari

    I think the user should be made aware of the fact that limiting port 5060/5061 would block the direct sip calls functionality as well. It also would require the operator to keep a constant eye on mails and the website of the voip provider to keep track of ip range changes and such.

    Furthermore, as you are advanced certified, your remote sites are probably equipped with SBC's in order to provide features like channeling all calls through them, provisioning and such to your remote sites. These SBC's however use the 3CX tunnel protocol on port 5090 (default, depending on your settings), and not tcp/udp 5060/5061 in order to connect to the cloud instance.

    Thus, your remote sites do not need to be included in your firewall settings for the sip ports. You'd need to setup specific port http(s)/3cx tunnel port rules for your remote sites. As it is just a matter of time until the scriptkiddies change their attack vectors.

    Another thing that kinda disturbs me is the fact that we are actually discussing workarounds here and not the issue of this thread itself....
     
  13. Marari

    Marari New Member

    Joined:
    Sep 16, 2007
    Messages:
    207
    Likes Received:
    47
    @OUTsider

    You're right. I do use SBC's, and I further protect port 5090 to just those remote sites. For out of office communication, I just forward calls to cellphones rather than use the soft phone client.

    Yes, there are some 'gotchas' with restricting that access, however, in the past 5 months since I went that way, I've received exactly zero notifications of brute force attempts, my block list contains zero entries (though there are obviously a few "allow" entries), and I'm no longer spending countless hours chasing ghosts.

    The PBX security built into 3CX does a decent enough job of blocking traffic that shouldn't be getting through but as @YiannisH_3CX and others from 3CX tell us time and time again, it's not a firewall. It's a reactive response. Hardening the firewall is a proactive response, and while it may create a bit of work down the road, it certainly creates a lot less than it saves.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. OUTsider

    Joined:
    Sep 25, 2012
    Messages:
    11
    Likes Received:
    2
    I guess parts have now been implemented in V16alpha:


    Secure by Design
    [​IMG]

    Administering an Internet-facing system keeps security always on your mind. v16 includes new and updated security features to ease your mind, making it the most secure yet:

    • Option to auto-update blacklist entries daily from an online list managed by 3CX.
    • IP blacklist Export & Import functions enables you to export all your blacklist entries and import them on another PBX to sync.
     
    craigreilly likes this.