Hack attempt!

Discussion in '3CX Phone System - General' started by haywardi, Mar 24, 2011.

Thread Status:
Not open for further replies.
  1. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    A word of warning and some advise needed.

    Just noticed my Internet running VERY slowly, did the normal thngs like reboot my router thinking it had a problem, but it didn't fix. Started checking my installation until I noticed hundreds of entries in the 3cx server log saying
    Authentication failed and a number of blacklist entries to ip 50.56.101.178. I'm not a network expert but from my knowledge this ip lives somewhere in china...

    Thought I may stop the attack by closing my open ports to the 3cx server, so disabled these at my router. A few minutes later the Internet started working again, but still not as fast as usual. I also upped the blacklist time to 3660 seconds.

    First the warning, someone is clearly trying to hack into the system, hopefully they will move on shortly, but it could be to you so watch out..

    Secondly the advise. It seems reasonable to me that it should be possible to put an ip on a total blacklist that is never allowed to reconnect, but the best I seem to be able to do is limit the length of time before it can simoly try again.

    Is there a proper, non temporary blacklist? Or better still a Whitelist for the ip's that can connect?

    Thanks in advance
    Iain
     
  2. davidbenwell

    davidbenwell Active Member

    Joined:
    Apr 27, 2010
    Messages:
    704
    Likes Received:
    0
    Hi, all this will be available soon in 3CX V10
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    Ok, even more curious. With my ports (5060, 5090 and 9000-9049) no longer being forwarded by my router, I'm still getting failed registration attempts from the same ip address... I'll try rebooting my router again in case just Switching off the open ports needed a reboot to become effective.

    But does anyone think there may be another way this attack is happening?

    Thanks in advance
    Iain
     
  4. davidbenwell

    davidbenwell Active Member

    Joined:
    Apr 27, 2010
    Messages:
    704
    Likes Received:
    0
    You need to block the remote attacker by their ip address or only allow sip 5060 access from your VoIP provider
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. haywardi

    Joined:
    Feb 27, 2011
    Messages:
    83
    Likes Received:
    0
    After 6 house of constant attack, I changed my static IP address. Problem solved in an instant.

    However, next time (and I'm sure there will be a next time), I'll block the IP address. What a simple solution, now why didn't I think of that :)

    If anyone know about the Draytek 2820, is blocking an IP as simple as filter set-up in firewall, or is there anything else I need to know?
    Thanks in advance
    Iain
     
  6. complex1

    complex1 Active Member

    Joined:
    Jan 25, 2010
    Messages:
    803
    Likes Received:
    45
    I am using the Vigor2930 and to avoid hack attempts I block all incomming TCP/UDP traffic 5060 through 5069 except traffic from my VoIP provider.
    To accomplish that, I setup the next 2 firewall rules:
    Click Firewall >> Filter Setup >> Set 2 >> Next Filter Set >> select Set#7 >> OK
    Click Firewall >> Filter Setup >> Set 7 and name it i.e. “SIP Filter”
    Click Filter Rule 1
    Click Check to enable…
    Fill comments with: Block 5060~5069
    Direction: WAN -> LAN
    Source IP and Destination IP: Any
    Service Type: TCP/UDP, Port: from any to 5060~5069
    Fragments: Don’t Care
    Filter: Block If No Further Match
    Branch to Other…: None

    Click Filter Rule 2
    Click Check to enable…
    Fill comments with: Pass VoIP provider
    Direction: WAN -> LAN
    Source IP: IP-range of the SIP server from the VoIP provider
    Destination IP: Any
    Service Type: TCP/UDP, Port: from any to 5060~5069
    Fragments: Don’t Care
    Filter: Pass Immediately
    Branch to Other…: None
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. sigma1

    sigma1 Active Member

    Joined:
    Nov 20, 2009
    Messages:
    542
    Likes Received:
    1
    All great tips from preventing the traffic from entering your LAN however they can drown your router on the WAN side (based on what your capacity is). Lookup TARPITTING instead and you can be much safer because 3CX takes care of itself and this way you can minimize the traffic.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Discovery Technology

    Joined:
    Apr 19, 2008
    Messages:
    278
    Likes Received:
    0
    Nothing beats locking down your inbound SIP port to your telco who you are using for VoIP - this is an absolute must if you're going to take SIP security seriously. Simply determine the IP address or range of IP's for your SIP provider and only allow SIP inbound from these IP's.

    Of course, following the security recommendations from 3CX also helps in a big way, such as removing the SIP ID from the extensions, entering in cryptic passwords for your extensions, apply the latest service packs, etc.

    Not sure if you can tarpit SIP traffic, unless this is a feature of the firewall? There are some SIP-aware firewalls out these days, however you need to understand how some of them work in relation to STUN resolution to get a successful SIP trunk registration. It looks as though Visnetic firewalls might be able to do this.

    I would also recommend changing the default password for your 3CX tunnel as this could also be compromised.

    You need to be careful though switching on intrusion prevention features on a firewall otherwise as you may find that these additional features start causing VoIP call quality issues such as fading in and out and dropped audio packets.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,861
    Likes Received:
    301
    Perhaps we need a forum where we can post IP addresses (or 3CX logs showing an attempt), where registration attempts originate. I just had a couple last night, one for an extension number and one for the fax extension number. Obviously someone that knew 3CX. Passwords kept them from gaining access. and 3CX cut them off after 25 attempts, I've now changed that to 5, and extended the amount of time before they can retry.
     
  10. LeonidasG

    LeonidasG Support Team
    Staff Member 3CX Support

    Joined:
    Nov 19, 2008
    Messages:
    1,500
    Likes Received:
    99
    Check V10 :p You'll see the Blacklist/Anti-Hack section is slightly updated.
    Also now from the moment a person is blacklisted, no further replies are sent back to him, thus your internet will not be as slow.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Thread Status:
Not open for further replies.