pob
Customer
- Joined
- Nov 20, 2012
- Messages
- 5
- Reaction score
- 0
I've noticed lately a number of outside IP addresses trying to log into our 3cx system and make outgoing calls. This worked for a while and they were able to make a few international calls. I've since changed our passwords, blacklisted offending IP ranges, and disabled international calls to all but the couple of countries we might call.
That has prevented any fraudlent calls but I'd like to block these guys at my firewall. I have port 5060 open to the IP address of our VOIP only yet I still see login attempts from these outside addresses. Could they be coming in on a different port or is my firewall not blocking them for some reason? Here's an example of some of the login attempts:
12-Mar-2014 01:32:20.196 [CM102001]: Authentication failed for AuthFail Recv Req REGISTER from 184.95.49.34:5101 tid=11678f6b846c52d1532150dc [email protected]:
REGISTER sip:192.168.16.21:5060 SIP/2.0
Via: SIP/2.0/UDP 184.95.49.34:5101;branch=z9hG4bK11678f6b846c52d1532150dc;rport=5101
Max-Forwards: 70
Contact: <sip:[email protected]:5101>
To: "10010"<sip:[email protected]>
From: "10010"<sip:[email protected]>;tag=932f6bd6a1
Call-ID: [email protected]
CSeq: 736 REGISTER
Expires: 1800
Proxy-Authorization: Digest username="10010",realm="3CXPhoneSystem",nonce="414d535c0930907456:9a4a4031168bdab8142a78cfb0581f3e",uri="sip:173.190.236.14",response="f68ea30f9581998de790148645caee4c",algorithm=MD5
User-Agent: VaxSIPUserAgent/3.5
Content-Length: 0
; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
12-Mar-2014 02:25:06.126 [IPBL] Packet from banned IP/range: ip = 179.43.133.34; Comment: PBX: blocked for too many failed authentications
12-Mar-2014 03:26:06.590 [IPBL] Packet from banned IP/range: ip = 212.83.141.241; Comment: Too many failed authentications
That has prevented any fraudlent calls but I'd like to block these guys at my firewall. I have port 5060 open to the IP address of our VOIP only yet I still see login attempts from these outside addresses. Could they be coming in on a different port or is my firewall not blocking them for some reason? Here's an example of some of the login attempts:
12-Mar-2014 01:32:20.196 [CM102001]: Authentication failed for AuthFail Recv Req REGISTER from 184.95.49.34:5101 tid=11678f6b846c52d1532150dc [email protected]:
REGISTER sip:192.168.16.21:5060 SIP/2.0
Via: SIP/2.0/UDP 184.95.49.34:5101;branch=z9hG4bK11678f6b846c52d1532150dc;rport=5101
Max-Forwards: 70
Contact: <sip:[email protected]:5101>
To: "10010"<sip:[email protected]>
From: "10010"<sip:[email protected]>;tag=932f6bd6a1
Call-ID: [email protected]
CSeq: 736 REGISTER
Expires: 1800
Proxy-Authorization: Digest username="10010",realm="3CXPhoneSystem",nonce="414d535c0930907456:9a4a4031168bdab8142a78cfb0581f3e",uri="sip:173.190.236.14",response="f68ea30f9581998de790148645caee4c",algorithm=MD5
User-Agent: VaxSIPUserAgent/3.5
Content-Length: 0
; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings
12-Mar-2014 02:25:06.126 [IPBL] Packet from banned IP/range: ip = 179.43.133.34; Comment: PBX: blocked for too many failed authentications
12-Mar-2014 03:26:06.590 [IPBL] Packet from banned IP/range: ip = 212.83.141.241; Comment: Too many failed authentications