Fraudulent calls and unauthorized login attempts

Discussion in '3CX Phone System - General' started by pob, Mar 12, 2014.

Thread Status:
Not open for further replies.
  1. pob

    pob

    Joined:
    Nov 20, 2012
    Messages:
    5
    Likes Received:
    0
    I've noticed lately a number of outside IP addresses trying to log into our 3cx system and make outgoing calls. This worked for a while and they were able to make a few international calls. I've since changed our passwords, blacklisted offending IP ranges, and disabled international calls to all but the couple of countries we might call.

    That has prevented any fraudlent calls but I'd like to block these guys at my firewall. I have port 5060 open to the IP address of our VOIP only yet I still see login attempts from these outside addresses. Could they be coming in on a different port or is my firewall not blocking them for some reason? Here's an example of some of the login attempts:

    12-Mar-2014 01:32:20.196 [CM102001]: Authentication failed for AuthFail Recv Req REGISTER from 184.95.49.34:5101 tid=11678f6b846c52d1532150dc Call-ID=f6b83d0-ffe7d5f1dea2240-94fd7cc0@173.190.236.14:
    REGISTER sip:192.168.16.21:5060 SIP/2.0
    Via: SIP/2.0/UDP 184.95.49.34:5101;branch=z9hG4bK11678f6b846c52d1532150dc;rport=5101
    Max-Forwards: 70
    Contact: <sip:10010@192.168.16.21:5101>
    To: "10010"<sip:10010@173.190.236.14>
    From: "10010"<sip:10010@173.190.236.14>;tag=932f6bd6a1
    Call-ID: f6b83d0-ffe7d5f1dea2240-94fd7cc0@173.190.236.14
    CSeq: 736 REGISTER
    Expires: 1800
    Proxy-Authorization: Digest username="10010",realm="3CXPhoneSystem",nonce="414d535c0930907456:9a4a4031168bdab8142a78cfb0581f3e",uri="sip:173.190.236.14",response="f68ea30f9581998de790148645caee4c",algorithm=MD5
    User-Agent: VaxSIPUserAgent/3.5
    Content-Length: 0

    ; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings

    12-Mar-2014 02:25:06.126 [IPBL] Packet from banned IP/range: ip = 179.43.133.34; Comment: PBX: blocked for too many failed authentications

    12-Mar-2014 03:26:06.590 [IPBL] Packet from banned IP/range: ip = 212.83.141.241; Comment: Too many failed authentications
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,744
    Likes Received:
    281
    The only way to block these attempts completely is to have a router that blocks any access from their IP. Since they change all the time you are left with restricting access to known "valid" IP's, (white list) If your router supports this, it will work as long as you don't have remote extensions that require access and don't always use the same public IP. Same thing with your VoIP providers or any other services that are trying to get through your router. So...this may not work for you.

    If port 5060 is the only one forwarded to the 3CX server, then I have to assume that that is the port they are using. Given that it is the most common SIP port, it makes sense that they would attempt calls over it.

    I used to get quite concerned when i saw attempted registration or Direct SIP call attempts. I've found that 3Cx is very good at blocking everything that i have seen recently. You can tweak the blacklist settings to further discourage hackers repeated attempts. I upped the blacklist time to 250,000 seconds and have permanently blocked entire IP ranges for similar (IP's) repeat offenders.
     
Thread Status:
Not open for further replies.