• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Fraudulent calls and unauthorized login attempts

Status
Not open for further replies.

pob

Customer
Joined
Nov 20, 2012
Messages
5
Reaction score
0
I've noticed lately a number of outside IP addresses trying to log into our 3cx system and make outgoing calls. This worked for a while and they were able to make a few international calls. I've since changed our passwords, blacklisted offending IP ranges, and disabled international calls to all but the couple of countries we might call.

That has prevented any fraudlent calls but I'd like to block these guys at my firewall. I have port 5060 open to the IP address of our VOIP only yet I still see login attempts from these outside addresses. Could they be coming in on a different port or is my firewall not blocking them for some reason? Here's an example of some of the login attempts:

12-Mar-2014 01:32:20.196 [CM102001]: Authentication failed for AuthFail Recv Req REGISTER from 184.95.49.34:5101 tid=11678f6b846c52d1532150dc [email protected]:
REGISTER sip:192.168.16.21:5060 SIP/2.0
Via: SIP/2.0/UDP 184.95.49.34:5101;branch=z9hG4bK11678f6b846c52d1532150dc;rport=5101
Max-Forwards: 70
Contact: <sip:[email protected]:5101>
To: "10010"<sip:[email protected]>
From: "10010"<sip:[email protected]>;tag=932f6bd6a1
Call-ID: [email protected]
CSeq: 736 REGISTER
Expires: 1800
Proxy-Authorization: Digest username="10010",realm="3CXPhoneSystem",nonce="414d535c0930907456:9a4a4031168bdab8142a78cfb0581f3e",uri="sip:173.190.236.14",response="f68ea30f9581998de790148645caee4c",algorithm=MD5
User-Agent: VaxSIPUserAgent/3.5
Content-Length: 0

; Reason: Credentials don't match, check that authorization-ID and password match the ones in extension settings

12-Mar-2014 02:25:06.126 [IPBL] Packet from banned IP/range: ip = 179.43.133.34; Comment: PBX: blocked for too many failed authentications

12-Mar-2014 03:26:06.590 [IPBL] Packet from banned IP/range: ip = 212.83.141.241; Comment: Too many failed authentications
 
The only way to block these attempts completely is to have a router that blocks any access from their IP. Since they change all the time you are left with restricting access to known "valid" IP's, (white list) If your router supports this, it will work as long as you don't have remote extensions that require access and don't always use the same public IP. Same thing with your VoIP providers or any other services that are trying to get through your router. So...this may not work for you.

If port 5060 is the only one forwarded to the 3CX server, then I have to assume that that is the port they are using. Given that it is the most common SIP port, it makes sense that they would attempt calls over it.

I used to get quite concerned when i saw attempted registration or Direct SIP call attempts. I've found that 3Cx is very good at blocking everything that i have seen recently. You can tweak the blacklist settings to further discourage hackers repeated attempts. I upped the blacklist time to 250,000 seconds and have permanently blocked entire IP ranges for similar (IP's) repeat offenders.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.