Blocking "User Agents" similar to "friendly-scanner"

Discussion in '3CX Phone System - General' started by mukkacow, Dec 12, 2017.

Thread Status:
Not open for further replies.
  1. mukkacow

    Joined:
    Oct 26, 2017
    Messages:
    39
    Likes Received:
    5
    Hello,
    I have noticed multiple scanning/registration attemps from this user agent:


    I have added these lines to my iptable file:
    but it seems not working. Any idea how to get rid of them?

    Thanks you
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,368
    Likes Received:
    229
    I set the options to get an email when IPs are blacklisted, for a period of time, which had been extended to 500,000 seconds. I then go in later and change the year that the blacklist period lasts, to something like 2030. if you use one particular year it then makes it easier to visually scan the list for any new additions. Once you have a collections of IPs that have tried to hack your system, you can start to see a pattern, repeats, from similar IPs. I then change the subnet mask to cast a "wider net", as needed.
     
    viraltechnology likes this.
  3. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    I can share a list of blacklisted IPs, collected from over 50 cloud-based PBXs. When IP is blacklisted by one or more of the PBXs (usually by several simultaneously), a filter rule is created into cloud router to protect all of the PBXs permanently. If there are 2 or more neighboring addresses, the whole subnet /24 is blocked. See leejor's post above for similar IPs.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    jbryant84 likes this.
  4. neotheghost

    Joined:
    Dec 12, 2017
    Messages:
    6
    Likes Received:
    0
    Oh such a List would be great! Please be so kind and share it with us! Thank you very much!
     
  5. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    These are the addresses including September 2017 attacks:
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    NickD_3CX and jbryant84 like this.
  6. neotheghost

    Joined:
    Dec 12, 2017
    Messages:
    6
    Likes Received:
    0
    thank you very much!
    is a firewall block the only option to avoid such attacks?
    is't there a an option in 3cx to disable direct sip calls completely? or change something to only allow autorized sip calls to enter the pbx?
     
  7. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    You can control direct SIP calls in Settings | Network settings | FQDN.
    Other settings may be controlled into firewall.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. neotheghost

    Joined:
    Dec 12, 2017
    Messages:
    6
    Likes Received:
    0
    Yes that's the part i dont fully understand. I disabled "Allow calls from/to external SIP URIs". Still i reviece those calls.
     
  9. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    219
    Depending on your router/firewall you may create a rule with white access list for hosts which could access your PBX on port 5060 -- like certain VoIP provider(s) and remote site(s). Otherwise you would not get rid from attacks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    NickD_3CX likes this.
  10. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,368
    Likes Received:
    229
    You may very well still see the calls in the logs, they won't go anywhere. Be certain that you use secure passwords. It's the people that had a simple password like "ext100", or "100" for extension 100, leftover from the initial testing, that will be in trouble.
     
Thread Status:
Not open for further replies.