Blacklist Questions

Discussion in '3CX Phone System - General' started by Meg, Apr 3, 2012.

Thread Status:
Not open for further replies.
  1. Meg

    Meg

    Joined:
    Apr 3, 2012
    Messages:
    8
    Likes Received:
    0
    2 questions: When we set the number of failed authentications required to blacklist an IP address, does anyone know if there is there a timeframe required to hit that maximum? For example, if I have the setting at 5000, is that 5000 failures in a week, a year, or no limit? And my 2nd question is if an IP does get blacklisted and I delete it from the blacklist, does the system reset the 5000 failures to the beginning again?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,362
    Likes Received:
    227
    I would set the failed authentications a lot lower than than, unless you find you are having legitimate extensions blacklisted. If that is the case, just keep bumping it up a bit and look into why the legitimate extensions are having an issue. If it is a hacker, they will just keep hammering away until blacklisted, I think I have mine set at 10.

    If you delete an IP from the blacklist, it starts all over again as there is no other record, of that IP, for 3CX to refer to for the "status".

    http://www.3cx.com/blog/docs/how-to-react-when-3cx-phone-system-is-under-attack/
     
  3. Meg

    Meg

    Joined:
    Apr 3, 2012
    Messages:
    8
    Likes Received:
    0
    We have an IVR that takes thousands of call each day. If the IVR goes down, it can accumulate quite a few failed authentications before we are able to resolve the issue. So we need to keep the failed authentications up there so we aren't blacklisting this IP address all the time. Is there another way we can do it so the system will allow unlimited failed authentications from this IP?
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,362
    Likes Received:
    227
    I'm not sure why, if something has gone down, you would be getting registration attempts at all. These are people attempting to register with incorrect combinations of extension numbers and passwords, or attempting a direct SIP call.

    Other than putting in an IP or a range, you can't say block everything BUT this IP, in 3CX. You would have to have a router, or firewall programme, that did something like that
     
Thread Status:
Not open for further replies.