• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

Hack attempt!

Status
Not open for further replies.

haywardi

Free User
Joined
Feb 27, 2011
Messages
88
Reaction score
1
A word of warning and some advise needed.

Just noticed my Internet running VERY slowly, did the normal thngs like reboot my router thinking it had a problem, but it didn't fix. Started checking my installation until I noticed hundreds of entries in the 3cx server log saying
Authentication failed and a number of blacklist entries to ip 50.56.101.178. I'm not a network expert but from my knowledge this ip lives somewhere in china...

Thought I may stop the attack by closing my open ports to the 3cx server, so disabled these at my router. A few minutes later the Internet started working again, but still not as fast as usual. I also upped the blacklist time to 3660 seconds.

First the warning, someone is clearly trying to hack into the system, hopefully they will move on shortly, but it could be to you so watch out..

Secondly the advise. It seems reasonable to me that it should be possible to put an ip on a total blacklist that is never allowed to reconnect, but the best I seem to be able to do is limit the length of time before it can simoly try again.

Is there a proper, non temporary blacklist? Or better still a Whitelist for the ip's that can connect?

Thanks in advance
Iain
 
Hi, all this will be available soon in 3CX V10
 
Ok, even more curious. With my ports (5060, 5090 and 9000-9049) no longer being forwarded by my router, I'm still getting failed registration attempts from the same ip address... I'll try rebooting my router again in case just Switching off the open ports needed a reboot to become effective.

But does anyone think there may be another way this attack is happening?

Thanks in advance
Iain
 
You need to block the remote attacker by their ip address or only allow sip 5060 access from your VoIP provider
 
After 6 house of constant attack, I changed my static IP address. Problem solved in an instant.

However, next time (and I'm sure there will be a next time), I'll block the IP address. What a simple solution, now why didn't I think of that :)

If anyone know about the Draytek 2820, is blocking an IP as simple as filter set-up in firewall, or is there anything else I need to know?
Thanks in advance
Iain
 
I am using the Vigor2930 and to avoid hack attempts I block all incomming TCP/UDP traffic 5060 through 5069 except traffic from my VoIP provider.
To accomplish that, I setup the next 2 firewall rules:
Click Firewall >> Filter Setup >> Set 2 >> Next Filter Set >> select Set#7 >> OK
Click Firewall >> Filter Setup >> Set 7 and name it i.e. “SIP Filter”
Click Filter Rule 1
Click Check to enable…
Fill comments with: Block 5060~5069
Direction: WAN -> LAN
Source IP and Destination IP: Any
Service Type: TCP/UDP, Port: from any to 5060~5069
Fragments: Don’t Care
Filter: Block If No Further Match
Branch to Other…: None

Click Filter Rule 2
Click Check to enable…
Fill comments with: Pass VoIP provider
Direction: WAN -> LAN
Source IP: IP-range of the SIP server from the VoIP provider
Destination IP: Any
Service Type: TCP/UDP, Port: from any to 5060~5069
Fragments: Don’t Care
Filter: Pass Immediately
Branch to Other…: None
 
All great tips from preventing the traffic from entering your LAN however they can drown your router on the WAN side (based on what your capacity is). Lookup TARPITTING instead and you can be much safer because 3CX takes care of itself and this way you can minimize the traffic.
 
Nothing beats locking down your inbound SIP port to your telco who you are using for VoIP - this is an absolute must if you're going to take SIP security seriously. Simply determine the IP address or range of IP's for your SIP provider and only allow SIP inbound from these IP's.

Of course, following the security recommendations from 3CX also helps in a big way, such as removing the SIP ID from the extensions, entering in cryptic passwords for your extensions, apply the latest service packs, etc.

Not sure if you can tarpit SIP traffic, unless this is a feature of the firewall? There are some SIP-aware firewalls out these days, however you need to understand how some of them work in relation to STUN resolution to get a successful SIP trunk registration. It looks as though Visnetic firewalls might be able to do this.

I would also recommend changing the default password for your 3CX tunnel as this could also be compromised.

You need to be careful though switching on intrusion prevention features on a firewall otherwise as you may find that these additional features start causing VoIP call quality issues such as fading in and out and dropped audio packets.
 
Perhaps we need a forum where we can post IP addresses (or 3CX logs showing an attempt), where registration attempts originate. I just had a couple last night, one for an extension number and one for the fax extension number. Obviously someone that knew 3CX. Passwords kept them from gaining access. and 3CX cut them off after 25 attempts, I've now changed that to 5, and extended the amount of time before they can retry.
 
Check V10 :p You'll see the Blacklist/Anti-Hack section is slightly updated.
Also now from the moment a person is blacklisted, no further replies are sent back to him, thus your internet will not be as slow.
 
Status
Not open for further replies.
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.