Global Blacklist

Discussion in 'Ideas' started by Arpan Arora, Jun 23, 2017.

Global Blacklist 4.9 5 14votes
4.9/5, 14 votes

Tags:
  1. Arpan Arora

    Joined:
    Jun 23, 2017
    Messages:
    3
    Likes Received:
    1
    I feel 3CX could maintain a global blacklist of IP that is being reported repeatedly on various PBX (by collecting data from all the installations accross the world) and then maintaining it in a database that can be made available as a list to its users. something like spam-assassin in email servers.

    one more option can be to blacklist all IP except the local IP and then the pbx administrator would in turn whitelist the IP of the valid extensions (maybe even give it as a field in the extensions tab) - just a crazy thought
     
    bbaker73 likes this.
  2. ajohnson443

    Joined:
    Mar 27, 2012
    Messages:
    30
    Likes Received:
    4
    I would like to see something like this as well. My log is full of the same IPs from the same jerks being dropped over and over.. I would like the ability to just blacklist the IPs once and for all.. Or blacklist GEO regions even..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Paul Omans

    Joined:
    Dec 2, 2016
    Messages:
    86
    Likes Received:
    32
    This is a solid idea, as long as subscribing to the global blacklist is not mandatory. I think the ability to blacklist every IP and then whitelist only certain IP addresses is a great idea as well, maybe through an IP wildcard function, for example blacklist 67.77.*.* to block all requests from that specific provider. However, simply blacklisting *.*.*.* to block all IPs that are not whitelisted would not work under the current setup because IP blacklist rules are not processed in order. Under the current setup, there would need to be a separate option to "blacklist all IP addresses that are not explicitly whitelisted", along with a warning that enabling this without configuring whitelisted IPs could break the system until those whitelisted IPs are added.

    All in all, blacklisting all IPs unless they are explicitly whitelisted seems to me to be a very niche need but, if enabled, can provide an additional layer of security for those needing it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Kobberhjelmen likes this.
  4. bbaker73

    bbaker73 New Member

    Joined:
    Nov 27, 2015
    Messages:
    110
    Likes Received:
    19
    I know this is something that one 3CX specialized hosting company does for it's clients. When same IP is detected across several clients, they script to block it on the rest. A 3CX maintained global list might be a good idea.
     
  5. loyer

    Joined:
    May 5, 2016
    Messages:
    42
    Likes Received:
    4
    +1 ----- we need this ASAP

    My Wishlist:
    - Whitelists always override blacklists (no matter what order they are in - if this isn't already the case)
    - Global Blacklist Maintained by 3CX (and potentially create a framework for other sources)
    - Integration into a GeoIP database (or ability to upload from a 3rd party e.g. https://lite.ip2location.com/ )
    - External Security Testing Service (think the "Firewall Check" but from the outside and tests for security issues)


    As 3CX the percentage of hosted installs increases, this becomes more of a requirement. Onsite installs are easy to block at the edge firewall. When the 3CX is hosted, adding every customer and remote extension's IP (which can change) becomes much more difficult. 3CX's Settings / Security settings are a great first step but a global blacklist would be a very valuable addition. VoIP SIP hacking is growing. I just googled "sip hacking" .... and anyone can do it ....

    https://www.edgewaternetworks.com/blog/sip-attacks-childs-play
    https://hakin9.org/voip-hacking-techniques/
    https://getvoip.com/blog/2017/02/16/voip-hacks-on-rise/

    Also, the default generated passwords in 3CX are too weak.... test a few here: https://howsecureismypassword.net/


    3CX is already known as a great product.... it can also be known as the most secure VoIP phone system out of the box.

    Thank you
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    626
    Likes Received:
    105
    It was my intent to build a free clearinghouse of known bad IP addresses, but then I discovered there is a limit to the number of blocked IP addresses you can configure in 3CX. I quickly exceeded the limit.

    My thought was to collect a list of blocked IP addresses from 3CX partners who subscribe to the list, and then weigh the likelihood of the IP being a "bad" IP based on the number of 3CX installs that list this IP as being blocked. Other trusted sources of bad IPs could be incorporated as well. Then the 3CX partners could choose how aggressive they want to be about blocked IP addresses based on the weight of the IP.

    Sadly, with the limit on the number of IP addresses that can be configured, it's not possible to implement the clearinghouse. I understand that this list could get very large, and the time required to look up the IP in a list might be a concern, but with proper indexing and caching, I would think we could search a very large list nearly instantly regardless of the likely size.

    If 3CX removes the limit, I'm willing to look at building the service.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. loyer

    Joined:
    May 5, 2016
    Messages:
    42
    Likes Received:
    4
    Do you know what the currently limit is for blacklisted IPs?

    Even with a limit, the list could be useful if the list was more like a realtime most active block list. If it could block the most recent (e.g. last 24 hours) top 25 active blocked IPs, that still could help limit hacking attempts.

    Another idea which would be more complex (maybe a paid version), would be to allow the 3cx administrator to whitelist specific countries and then block huge ranges of IPs based upon the top 25 first octets. For example, I would whitelist USA, then any blocked IP that come from an IP outside of the USA, we could block the entire Class A (e.g. 203.0.0.0). I have found that attacks often come from different IPs but they often are in similar IP ranges. This could be an optional feature for installs that have too many random remote clients that can't be whitelisted.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. voiptoys

    voiptoys Active Member

    Joined:
    Feb 13, 2013
    Messages:
    626
    Likes Received:
    105
    The last time I checked (about a year ago), it was 100 entries.With the Call Control API you can update the blacklist. We could do as you suggest. A windows service (or daemon) could monitor for needed changes and update the list.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...