Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

can anyone explain a bit

Discussion in '3CX Phone System - General' started by craigreilly, May 16, 2013.

Thread Status:
Not open for further replies.
  1. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,575
    Likes Received:
    305
    This is from my logs - I assume this is someone trying to hack in?
    Code:
    15-May-2013 16:31:47.624	[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    			Invite-UNK Recv Req INVITE from 188.66.5.70:1534 tid=-7a6330f95ba0 Call-ID=3c462467-e774-4166-8ebd-ab4b2673fba7:
    			INVITE sip:318667272338@66.x.x.125:5060 SIP/2.0
    			Via: SIP/2.0/UDP 0.0.0.0:5060;branch=z9hG4bK-7a6330f95ba0;rport=1534;received=188.66.5.70
    			Max-Forwards: 70
    			Contact: "13186672723381"<sip:131866727233810.0.0.0:5060;transport=udp>
    			To: <sip:318667272338@66.x.x.125>
    			From: <sip:13186672723381@0.0.0.0:5060>;tag=NDJlMmU2N2QxM2M0MDAwMDU3ATIyODcxNTI
    			Call-ID: 3c462467-e774-4166-8ebd-ab4b2673fba7
    			CSeq: 1 INVITE
    			Accept: application/sdp
    			User-Agent: Asterisk 1.6.2
    			Content-Length: 0
    			Content-Lenght: 0
    15-May-2013 16:31:47.624	IPs do not match!
    15-May-2013 16:31:47.624	Compare IPs: incoming=66.x.x.125; external=66.x.x.112
    15-May-2013 16:31:47.624	IPs do not match!
    15-May-2013 16:31:47.623	Compare IPs: incoming=0.0.0.0; external=66.x.x.112
    15-May-2013 16:30:28.237	[CM500002]: Unidentified incoming call. Review INVITE and adjust source identification:
    			Invite-UNK Recv Req INVITE from 188.66.5.70:5060 tid=-9290c49e5345 Call-ID=22d91697-3162-4f9d-b483-9a8a2ef4615b:
    			INVITE sip:618667272338@66.x.x.109:5060 SIP/2.0
    			Via: SIP/2.0/UDP 0.0.0.0:5060;branch=z9hG4bK-9290c49e5345;rport=5060;received=188.66.5.70
    			Max-Forwards: 70
    			Contact: "16186672723381"<sip:161866727233810.0.0.0:5060;transport=udp>
    			To: <sip:618667272338@66.x.x.109>
    			From: <sip:16186672723381@0.0.0.0:5060>;tag=NDJlMmU2NmQxM2M0MDAwMDU3ATE2MTYyMTky
    			Call-ID: 22d91697-3162-4f9d-b483-9a8a2ef4615b
    			CSeq: 1 INVITE
    			Accept: application/sdp
    			User-Agent: Asterisk 1.6.2
    			Content-Length: 0
    			Content-Lenght: 0
    15-May-2013 16:30:28.237	IPs do not match!
    15-May-2013 16:30:28.237	Compare IPs: incoming=66.x.x.109; external=66.x.x.112
    15-May-2013 16:30:28.237	IPs do not match!
    15-May-2013 16:30:28.237	Compare IPs: incoming=0.0.0.0; external=66.x.x.112
    
    IP 112 is my Phone Server
    IP 109 - I do not think I have anything on this IP
    IP 125 - I do not think I have anything on this IP

    Should I block 188.66.5.70 ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,117
    Likes Received:
    329
    I see similar things once in a while. they are trying to do a direct SIP call. Usually there are several attempts with the number starting with 9011XXXXXXX, 00XXXXX, and the like. International prefixes and some with a 9 in front. I suppose that once the have "found" a PBX, they assume that they will eventually be able to place a call.

    If I get a lot of repeats from some IP's i will block a range, like 188.66.0.0, mask of 255.255.0.0
    If you don't have a lot of remote extensions, then you should be be safe in blacklisting IP's, just be sure that it isn't a range used by a provider.
     
  3. ian.watts

    ian.watts Active Member

    Joined:
    Apr 8, 2011
    Messages:
    532
    Likes Received:
    1
    Ideally you only allow inbound SIP from whatever you specify.. usually your trunk(s) and possibly some remote offices with static addresses... all at your firewall.

    Only in cases where you must leave SIP relatively open.. you may be able to utilize limiting by region, using the IANA address space registry for the RIRs and block those places where nobody would be connecting from.. ideally.

    Sadly, I have a manufacturing client who has people travel to China.. with their iPhones. I suppose I could try the separate Tunnel App to collapse that need... but still have some remote extensions at the brass' homes.. but I could at least limit to their ISPs..
     
  4. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,575
    Likes Received:
    305
    Well our employees do quite a bit of international travel so we allow the iPhone and android apps to be used to keep in contact with the office and family as well
    So allowing specific ips might be difficult.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    815
    Likes Received:
    49
    One thing I want to suggest is change SIP listen port 5060 into something else.
    I had the same attacks as you have and as leejor replied earlier.
    Once I have done this in my 3CX and all of my customers 3CX’s there were no more attempts of hacking the system.
    Also you don’t have to block incoming IP-addresses in the router anymore, only open the ports as suggested by 3CX. From now all external extensions like iOS and Android devices can freely connect the 3CX Phone System by using the new SIP port.
    I have tested here in Holland (The Netherlands) and also in the Caribbean, Belgium, Germany, Australia as in the US. (WiFi and/or 3G)

    Hopes this helps you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    11,117
    Likes Received:
    329
    When hacking had been brought up once before, the suggestion to change from the 5060 default, to something else, had also been made. Someone had put forward that it wouldn't help, as more than than one port was being scanned by the hackers.

    Has anyone else had any experience (hopefully good) with changing the port?

    I find that most of the "attempts' these days are unauthorized registrations, rather than direct SIP calls. Those get blacklisted for hundreds of thousands of seconds, but, every once in a while a very similar IP makes another attempt. That range then gets put on the permanent blacklist.
     
  7. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,575
    Likes Received:
    305
    i like the idea of changing the port if it works - except I'd have to get into the remote phones and update them... yes?
    I have 3 Aastras out there because they were left over from a Packet 8 job many years ago.
    They work for what we need in the field.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    815
    Likes Received:
    49
    Not only the remote phones, but all your phones, adapters, gateways who are connected with 3CX Phone System. Local and Remote.
    Only changing the Proxy Port will do.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,575
    Likes Received:
    305
    yes absolutely... not worried about those. i have full local access to those and can reprovision them easily enough.
    :)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.